As we approach the 10th anniversary of Patch Tuesday in October, there is good reason to believe that the whole enterprise of keeping Microsoft products, especially Office, up to date, is too large and complex to get right. Microsoft's recent problems with their update system are not going away and are a reasonable subject for ongoing concern. Indeed, a few days ago they acknowledged yet another bug in the disastrous September update.
I spoke with Lawrence Garvin, Head Geek (yes, that's his title) at Solarwinds, which makes IT management software. Garvin has been dealing with patch management of Microsoft products for ages, and he's convinced that the Microsoft updating system is just too much to keep track of.
Garvin also points out that we don't really know a lot about how Microsoft manages their update process. The individual product teams are responsible for their own updates, but is it considered scut work, unworthy of the best engineers? Are there dedicated teams of updaters who can learn from earlier mistakes? We don't know these things. It's not like any other companies provide this level of detail, but Microsoft is different. They are, to borrow a term from Dodd-Frank, systemically important. It's reasonable to expect more of them.
The schedule of product releases over the last decade or so has conspired to create a support problem for Microsoft:
- For Windows, the support lifecycle is 10 years (extended to 12 for XP), but many users sat out Vista and will likely sit out Widows 8. Because of the Vista/Longhorn debacle (which even Steve Ballmer regrets), many customers developed a "once bitten, twice shy" attitude and are still sitting on Windows XP. Therefore, even if they were now to adopt Windows 7, seeing that 8 is not acceptable, they would have an abbreviated life cycle. Windows 7 exits extended support in January 2020.
- For Microsoft Office, a very large number of users have sat out every recent version and are still running Outlook 2003, which also exits support next April. The hardware update cycle sometimes pushes customers into updating Windows, but not necessarily Office.
The Office situation is even worse for Microsoft than the Windows one. Currently there are 4 generations of Office being supported: 2003, 2007, 2010 and 2013, not to mention the online versions in Office 365 and the Office Web Apps of earlier generations. Some vulnerability fixes can affect all versions, some are more limited in scope.
I've been tempted for some time by the idea that Microsoft should be shortening their product lifecycles. 10 years is just far too long in the Internet era, far longer than is typical for other vendors, and it keeps users running less-secure, inferior programs.
But shortening the lifecycle only works if users will actually upgrade fairly soon after new versions are available. Otherwise they don’t get enough useful life out of it to bother. Enterprises are very reluctant to upgrade, and Microsoft's leverage with them, while still high, isn't what it used to be. Microsoft has always listened carefully to the enterprise customers, which is why they have such long lifecycles and were even willing to stretch the XP lifecycle.
Instead, Microsoft's solution, at least for Office, is Office 365. It's a partial solution with the online version, which are updated automatically all the time, but for the more expensive subscriptions that come with a subscription to the Office desktop versions, it's only better in that users will already have paid for the new version; they may still decide to use the old one. But Office product cycles have been rapid in recent years, so even if an enterprise skips every other version it may work out for them.
The bottom line is that Microsoft has to find a way to get enterprises to be willing to upgrade more frequently. With Software Assurance they have the financial incentives in place for some time, but enterprise reaction to Windows 8 doesn't give the impression that it's an easy sell.