A ZDNet reader that goes by the name of R.E. Riker posed an interesting question to me via e-mail the other day. He asked if maybe, giving the high frequency of updates that it issues for its operating systems (in his case, Windows XP), if offering more frequent Service Packs or update roll-ups wouldn't be the more sensible thing to do for some of Microsoft's customers.
In my back and forth exchange with Riker, I learned that he maintains about 70 systems in an environment where new updates from Microsoft must be tested before they are deployed. This can't an unusual requirement out there in the business world.
For Riker, Microsoft's monthly issue of such updates (on the second Tuesday of each month) makes such testing impractical. On the other hand, if Riker waits for Microsoft to issue the next Service Pack (which could be years), that's too long for the systems he oversees to go without certain critical updates. Especially security-related ones. In his first e-mail, Riker wrote:
I would like to see Microsoft offer an option for security patch rollups at least on an annual basis (maybe semi-annually). In other words, compile an update containing all of the security patches for the past year (or half-year) that we could download, test, and then apply to our machines. I know ideally it would be better to apply the monthly updates, but that just isn't feasible for many people, myself included. But I don't want to stay completely unpatched or wait years on end for the next service pack. Trying to talk directly to Microsoft is next to impossible for us small fries. Would you be willing to maybe at least broach the topic either directly with them or through a blog? Thank you for your consideration.
I responded to Riker asking why he just doesn't turn off automatic updates and then deploy them on a less frequent basis. Riker responded:
The option to turn off automatic updates and only update manually would be fine if it were only one or two machines. Going beyond that it becomes rather inefficient considering just the bandwidth alone.
And, well, I currently support 30 XP boxes with probably 40 more yet to upgrade (that's right, we have 40+ machines on older OSs) . Of course, MS's solution would be to upgrade all our PCs and set up a [Windows Server Update Services] Server. Ummh, well, first, if I had the resources for that, I probably wouldn't be here begging. Second, I have a problem with a company asking us to shell out even more money to solve coding problems in their software! [DB's note: He has a good point. According to the WSUS requirements page, Windows Server 2003 is required. In other words, keeping XP up-to-date requires additional software licensing and hardware investments, not to mention time].
I guess what I am trying to find is some balance between not patching immediately (which just doesn't work for us for multiple reasons) and going unpatched until a service pack is released (which is too long to go unpatched). I don't feel like that is too much to ask especially in an environment where the hacking has gone professional. It was bad enough trying to cope with the script kiddies. We can't compete with professional hackers as it is, but we don't stand any chance at all with unpatched boxes. As small as we are, we've already seen some spear phishing attacks.
Finally, if he could have it his way, Riker writes:
Realistically, I don't think I could do it more than twice a year. And I am certainly open to some other mechanism as long as it is relatively user friendly and I can download it once (even if it involves multiple files as long at that doesn't get completely out of hand like the update catalog), test it out on a machine, and then apply it to the rest of them.
So, I did what Riker asked. I checked-in with Microsoft and here's the response that was offered by a spokesperson:
Customers have many choices for servicing Windows. Windows Update is designed for customers who want to update individual PCs as Microsoft releases updates – either automatically or when the customer is ready. A second option is Windows Server Update Services, a free server role for Windows Server customers, which allows network administrators to control the distribution of updates across their network. Other options include full-featured software management tools like System Center as well as 3rd party programs.
Microsoft traditionally releases security updates on the second Tuesday of each month and encourages all customers to install them as quickly as possible. The servicing tools mentioned above are designed to make this as seamless as possible. Microsoft is in constant communication with its customers to better understand their needs and desires and builds its products and services to meet those needs.
Unfortunately, Microsoft's response will be of little consolation to Riker who would easily fall behind if he relied on self-patching via Windows Update, but according to a schedule he sets (instead of Microsoft's). Furthermore, I think Riker's subtle point about who should bear the cost associated with patching numerous systems in a business environment is dead-on. After all, a good many of the patches that Microsoft issues are to deal with defects in the operating system.
I'm not saying "defect" in a negative way nor am I derogating Microsoft for the situation. The truth is that no software -- not Windows, nor any of its competitors, nor any applications -- is without its defects. The question is, if software is defective and the customer will require it to be patched and there's a need for something like WSUS in order to manage the that patching according to business requirements (as is proven by the very existence of WSUS), then should the customer be expected to bear additional cost to get that WSUS functionality, or should it be offered for free? Or, should the customer be expected to bear the additional time and expense of aquiring, deploying, and maintaining a server on which to run WSUS? (WSUS is a free download but Windows Server 2003 is not).
While you contemplate that question, perhaps Microsoft will consider this suggestion which I've sent to it through my contacts: If there was ever a great opportunity to leverage the benefits of software-as-as-service, then perhaps this is it. Why, for example, couldn't Microsoft host a multi-tenant WSUS server on the Internet for free? One that system administrators like Riker could turn to for the same WSUS functionality that they'd get if they ran WSUS locally, but without the headaches of running their own WSUS server? Would there be issues (like security) to work through? Sure. But Microsoft is capable of working through them and to the extent that it's always looking for ways to better service its customers -- especially the finicky small to medium businesses that are tough to satisfy -- wouldn't a hosted version of WSUS make sense?
Are you (or should you be) running a WSUS server to better manage the patching of your client systems? If Microsoft offered a cloud-based version of it -- one that was integrated into its Windows Update service in a way that allowed you manage all of Windows' patches on your schedule, would you take it? Or, even if you wouldn't, should you still be asked to bear the cost of running a local WSUS server even though the purpose of it is largely to manage "manufacturer defects?"
What do you think?