Update: Microsoft got back to my request for a comment or interview. See the bottom of this post for details.
I first reported on apparently widespread problems with Microsoft's Windows Update and Automatic Update services on Saturday. Since then, I've heard numerous confirmations of problems from others. I've sent e-mail to Microsoft requesting comment. Meanwhile, here's the result of some more testing I've done in the past 24 hours.
It appears that Microsoft has prioritized its download servers so that the urgent MS06-040 patch is being delivered first.
- On one virtual machine that has been running continuously for the past week, this patch was the first of eight to be successfully delivered at 6:35 AM the day after they were released. They were automatically installed via a forced restart at 3:00 AM the next morning, using the default Automatic Update settings.
- This morning I started a second virtual machine that had not been turned on for roughly a week. The yellow shield icon flashed in the taskbar and then quickly went away. Although it appeared that the update had failed, a check of Event Viewer logs showed that one and only one update - the MS06-040 patch, aka KB921883 - had been downloaded. When I clicked the Start button and chose Turn Off Computer, a shield icon showed that the update was ready to install, and a manual restart installed it immediately.
It may be just a coincidence, but both of these machines are using the Microsoft Update service rather than the generic Windows Update. Are the MU servers getting preferential treatment?
Also, if you chose the past few days to reload Windows XP on a computer, you might discover that you're unable to download any updates at all. That's the case with one test system here, and I received a report of an identical experience from a colleague this morning. The unpalatable options are to run a PC without security updates - in my case, this means doing without every update issued since Service Pack 2 was released in late 2004 - or to go out and download dozens of individual updates and apply them manually.
Speaking of SP2... Wouldn't it be convenient if Windows XP users could download all updates released since SP2 as a single package to be applied at once? Since the beginning of this year, Microsoft has made each month's security updates available as downloadable ISO images. I'd like to see an additional ISO package, updated each month that contains all patches since the most recent service pack. It would be a lifesaver in times like this.
Update 14-Aug 3:00PM PDT: A Microsoft spokesperson replies:
After each security update release, Microsoft watches very closely to help make sure the updates are being deployed seamlessly. It is still early in the August release cycle but we have not verified any customer reports of deployment issues at this time. Customers who believe they are experiencing issues with any of the updates are urged to contact Product Support Services for no-charge support so we can be made aware of the issue and assist them.
When verified known issues are identified by customers working through Product Support Services, Microsoft updates the security bulletin and associated KB article with information and guidance regarding those known issues.
Not exactly the answer to the questions I've been asking. I sent the following note back:
The issues I noticed last week involve delays in the delivery of updates to Windows customers with the Automatic Updates feature turned on.
I have kept meticulous records of the performance of Automatic Updates on one machine in my office. From December 2004 through January 2006, it routinely received updates within a day or two of their release on Patch Tuesday. However, beginning earlier this year, my records show that updates now routinely take four days or more to arrive via Automatic Updates.
In my original post, I documented several examples of people who posted public reports of what appear to be problems with the delivery of updates via the AU mechanism. In addition, I saw many reports of problems with connecting to Windows Update. In fact, I was seeing many of those problems myself. (I've submitted a support request but have not yet heard back.)
On three of four systems in my office, one and only one of 8 available patches were delivered last week, the MS06-040 patch. The others arrived several days later.
Does Microsoft have a service policy that dictates a maximum time a customer should have to wait for updates assuming their computer is turned on and AU is enabled? Are there metrics that show what percentage of Windows customers receive updates within one day, two days, etc. of their release, typically on Patch Tuesday?
I would be very interested in speaking with someone about Microsoft about the architecture of the Windows Update process and how it works. With hundreds of millions of WU and AU requests, I can understand that some degree of staged delivery would be essential. I know my readers would be interested in an explanation of how the process works.
I'll let you know what I find out.