To address patch management issues, Microsoft is creating a new, centralized patch management architecture that it will use for all of its products. Then, it will build new versions of WU, MBSA, SUS, and the SUS Feature Pack for SMS that work off of this infrastructure. The company plans to provide these tools to customers in early 2004.
Microsoft’s Plan to End the Patch Management Nightmare
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
….new stuff from microsoft. but i am to long into this business to trust that microsoft will produce something stable, usefull and user-friendly with the first release.
and while they are centralizing their patch-management, they could enhance it as well. it is still very easy to kill a complete setup, by applying a patch and the worst thing is, that you eaven can not roll it back! sorry! but this looks like some pc/computer hackers trying to understand how to manage serval 10’000 computers at once.
their tools look nice and when you read the technical papers and then compare what you get and how difficult it is to implement (i am talking about diffrend setups, diffrend languages, diffrend versions of the os and the apps, etc) then you realize, that reality does not match at all with the stuff written on paper!
it is a long way to go…. i hope they start improving stuff and not only selling us their internal reorganisation of the patch-management as the thing of the things! i understand, that with this move they save alot of trouble and money, but until this new patch architecture is in place, we have to wait serval years….
“….a preliminary patch patching a preview for a permanent patch to patch the previously patchy patch-management…?”
How is this an “exclusive”? It has been reported on already elsewhere. Widely.
Is this some new meaning for the word “exclusive”? Please let me know so I can include the new definition in my next release.
… to work around bad design workarounds that work around bad design workarounds that work around bad designs.
I think they should work harder on the products… as in, avoiding creating so many problems in “shipping” products to begin with… you know, so that they don’t need so much patch management in the first place.
Oh, but I’m just a complainer, right…?
I would be curious to know who is currently handling patch management any better than MSFT does?
” I would be curious to know who is currently handling patch management any better than MSFT does?”
Sun does with Solaris as does Red Hat and Mandrake. Even Microsoft has said so. I can patch all of my servers remotely without needing a reboot, with the exception of kernel upgrades and those are rare and can be performed during scheduled maintenance.
I would be curious to know who is currently handling patch management any better than MSFT does?
from my experiance: IBM and Lotus
IBM: because they allow me to install patches on a AIX box and i can fully roll them back if anything is not okay with the patch. and if you only use windows, then i try to explain you what that means: rolling something back does not mean uninstalling it the way you find it on windows! rolling back means: complite wipe out of the stuff as if it never ever was installed on that system!
Lotus: just because they have since i am using notes/domino (boy…. it is over 10 years now) never ever being able to destroy or mess up a notes/domino installation with any of their patches. and they are not so patch-hungry as microsoft! they produce at least 4 times an year a patch/update/upgrade for notes/domino.
and they have a database where i can lookup what kind of fixes are fixed in any of the releases they produced and i can see what is next to be fixed. (try to do that with ms! just today i updated for a friend his stone-old laptop (i586 mmx 200mhz) and guess what?? windows update did not work with ie4.6 or 4.7 or something like this. don’t remember the version. and after installing ie6 sp1 i had serval entries in windows update called “Wichtiger Windows 98 Update” -> this means “Important Windows 98 update”. sorry… but this is so intransparent, that i can not belive that! and how are you supposed to manage something wich you don’t know what it is! nor do you know what it does?!? they can centralize that and make it more sexy looking and anything they want! but managing something does not mean to make it easy for me to apply patches! it means as well to provide me as much as information i need to manage the patching. and microsoft is like a black box about that!)
cheers
SteveB
I would be curious to know who is currently handling patch management any better than MSFT does?
ohhh… and i forgott to mention linux and unix:
managing 10 windows server is hell! i wish i would have such a simple conecting interface as i have on unix systems.
in unix i establish an ssh session to the server and install the needed patches/updates/whatever… no reboot no poblems. mostly restarting the updated service is enought.
on windows i have to fire up some sort of remote screen and start the patch/update/whatever and click there and click over there again and again and again….
this is a real pain! and after the update: uhhh… reboot time! how nice! lets pray that the box will return back to live after i rebooted it! please! don’t let me walk to the server room and switch off that dam box, because something during reboot went wrong. but reality is beating me again…
anyway… i used to like windows as a server platform. but the more i worked with it, i know that simple stuff (and linux for example has offten very simple interfaces) are a big big plus on the server.
windows is just a real fat and overloaded server wich has so manny pitfalls that avoiding windows means: getting sooner home and beeing happy! while the windows guy pulls of his hairs and does not understand why he is getting a blue screen just because he changed that dam stupid gigabit ethernet driver in his compaq proliant 8500R. and most worse thing: he eaven does not know how to fix it! he would start to try to do that or that, but there is no grafical interface (remember: he has an blue screen).
in linux i never ever had something like this! NEVER!
and i know linux is not perfect! but those functions it offers, it does it 10’000 times better then windows.
and again: it is so transparent! microsoft can only dream about such a transparent system. i would be very surprized if i would see windows getting so transparent.
cheers
SteveB
Sorry for the flamebait title, but they deserve this one. All three of the Windows machines on my home network were bit by the recent networking “patch” fiasco. Serves me right for enabling autoupdate. Thank god it happened during summer vacation, or else the machines would have been unusable for several weeks until I came home again. Now, I’m off to go reinstall Windows on my brother’s machine, because it gets disconnected for about 2 seconds every minute.
PS> Nice to see MS making a change, but let’s see it stick this time, okay? I thought MS had turned over a new leaf like back in Feburary, but this fiasco happened a lot later. Well, if anything, the patch situation can’t get worse, can it?
I would be curious to know who is currently handling patch management any better than MSFT does?
well, me
i hope, hmm… NO! better i wish microsoft would be able to learn from their misstakes. but no way! they controll about 95% of the desktop market and as long it is that way, they will give a sh** about such problems. because they will easy find a way to explain everyone that this is only happening on 1% of all windows installations and that this is not real problem at all! bla bla bla…
if you want things to get changed, then YOU have to change things! change your os or avoid software from microsoft or any other company or software producer (closed source or oss… it is not important) wher you don’t have the feeling that they are doing their best to help you enjoing their software and working with their software.
after you pay that microsoft software, you will only hear from them, when they want to sell you more software. but they will not contact you to ask you how happy you are with the software or if everything is okay with the software you buyed from them.
and if they contact you by accident and ask about such stuff (i had the nice experiance once with microsoft asking me), then you have to fill out a endless questionare and at the end you will not getting anything in return! and you will eaven not get the end-result of the collected questionaire.
when i fill out such a questionaire at ibm or sun, i get a summary (a small one… but still).
microsoft needs to learn what crm means. and not from the technical point of view!
cheers
SteveB
“I would be curious to know who is currently handling patch management any better than MSFT does?”
Sun does with Solaris
I disagree. The traditional Solaris method of patching involves periodically downloading patch clusters and installing them, then either checking SunSolve’s web site or subscribing to security lists which notify you of Solaris vulnerabilities then notify you when patches for the vulnerabilities are available.
Solaris patches have a large and complicated dependancy tree. Couple this with the fact that patches are often finnicky about whether or not they’ll install (especially if you don’t install with one of Sun’s recommended installation clusters) and you’ll wind up with dozens and dozens of patches unapplied because their dependancies are failing. At this point you are left to mull through the patch documentation and figure out why a given patch didn’t apply. Perhaps you’ll need to install another Solaris package because the patch dependancy tree doesn’t match the package dependancy tree.
When it comes to security patches, traditionally you were left to assess which ones needed to be applied and which ones had already been applied. They will eventually be included with the patch cluster, but what if a security patch fails to apply because of details of your particular installation or because it has an unmet dependancy?
Many patches also have a complicated installation process and cannot be applied without user intervention. Many other patches can only be applied in single user mode, while others require a reboot when finished (because they modify the kernel or firmware) Thus it becomes rather undesirable to attempt to automate the patch. process.
My solution has been periodic application of patch clusters and “hand” application of security patches. While Sun does make it convenient to patch several systems simultaneously, problems often arise, patches fail to apply, and you’re left troubleshooting the patch application on several individual machines.
Furthermore, keeping track of what security patches have been applied and what vulnerabilities might remain using the traditional patch process is an enormous headache. I’ve attempted to automate the process with an ugly collection of scripts which pulls lists of security patches off of SunSolve then queries systems over ssh as to what patches are installed. This is certainly less-than-ideal.
Sun’s “solution” to this enormous patch assessment nightmare was PatchPro, which was supposed to offer “Windows Update-like” simplicity to the patching process. Far from it…
PatchPro is riddled with problems far too numerous to list here. I believe most of the problems stem from the fact that PatchPro is written in Java, and thus lacks tight system integration. An example of a PatchPro problem would be that it doesn’t check if a system has sufficient space to store the patches it downloads before it begins downloading. If the filesystem does fill up, it simply dies… it doesn’t clean up after itself; it expects you to do that.
PatchPro offers a few mild advantages over simply installing patch clusters on a periodic basis. It allows for signed patches downloaded via HTTPS, so security is slightly improved. It only downloads the patches that you need.
The main disadvantages are that it is a relatively complicated program and isn’t implemented very well. While patch clusters may not be elegant, they are simple and consequently solving problems is much easier.
Now, compare this all to Windows. Windows offers the same functionality as PatchPro, except in Windows patching can be safely automated. The patches very rarely fail to apply. Furthermore, the mechanism can check Microsoft’s servers periodically and notify the system’s when new patches need to be installed. Furthermore, the patch process is so simple anyone can do it… it doesn’t require a knowledgable system administrator.
I would say in all respects, Windows Update wins over everything Sun has put out in regards to patching.
Sun, why do you insist on writing system tools in Java?
WOW! you must hate them very very deep!
the bold part of your message does not leave any room for more comments! i can only join you on that statement. but this statement can be easy applyed to other commercial companies. they are all the same! but microsoft must be their master! no other company does that much propaganda for nothing!
I hear you. I’ve been primarly non-Microsoft since I switched to BeOS in 1999 (or was it 1998?). I’ve been 100% Microsoft free for over a year. However, I can’t do anything about the fact that the other 3 machines in my house have to run Windows. My dad needs 100% Office compatibility because USAID (foreign aid branch of the US government) has standardized on Office and thus all its contractors also have to use Office. He’d personally much rather use WordPerfect
I’ve got my brother dual booting Linux, but he’s a major videogame freak so he can’t use anything that won’t run Battlefield 1942 
As for my mom, she probably could use Linux (at least then gogle.com couldn’t install a porn toolbar into IE, which is a seperate fiasco…) but she’s just learning computers and I don’t want to teach her anything she can’t use at work…
You can effectively layoff 90% of the Windows admins, as there will no longer be the need to run around patching servers.
The remaining 10% of us will be there to handle the rebooting.
Hahahahahaha! What a joke!
I seriously hope that all of the new competition forces M$ to make a quality OS. If they could make as OS as nice as their Office Suite they would get a LOT more respect in that air-conditioned server room.
well…. if i only would know microsoft for serval years (and i know windows 1.0) then i would think, that microsoft is doing their best to help to bring better software.
but they are able to produce very nice applications for the masses and on the other hand they are unable to produce applications wich are all in all: painless
i don’t know, how they can ship out applications wich have such a good start-point at the beginning and then spoil it all over with updates/patches/fixes/etc?
why do they not lissen to their customers? WHY?
don’t get me wrong! the oss developers do not lissen as well (not all of them)! they are very technical oriented. but microsoft is to much money oriented! they are not producing new stuff to make my life easyer! when they bring stuff out on the market it has only one purpose: bring alot of money to microsoft and bind me for ever on their technology!
and from that view point, serval things are never found in microsoft technology:
– transparency
– easy handling (not the application it self! i mean for example that you can not easy handle 150’000 microsoft word installed applications on 150’000 computers!)
– extensability (i dont know if i used the right english word for that. i mean, that mostly you cant just easy extend a microsoft solution. you only can replace it with a new microsoft solution. but trying to extending it is hell and a difficult task and some time it is impossible! and replacing it is very very expensive [but could solve your problems])
– integration (try to integrate ms solution with others. very very difficult! either you only use ms products or you are lost! microsoft expects you to integrate into microsoft products and not that they integrate into other products!)
– good enterprise integration (you definatly feel and see that microsoft is comming from the desktop.)
– planing (you never know with microsoft what comes next! maybe they are dropping the technology you are just on your way to implement in your company. or maybe they will just replace that application you need so much with a new version. but you have just spend so much $$$ on custom solutions on top of that application and you can not easy move to the new version without redoing alot of work for that new version. and the only thing microsoft says to you: well… the new version has .net integration and it has a great xml interface and and and…
but when you thing about it: you don’t need that!
and microsoft: does not care about that you don’t need that!)
anyway… enought microsoft bashing!
i have enought of words! actions count more than words!
i am an it consultant and if there is anything i learned from the expectations my customers have from me, then it is this thing: they want to SEE bevore they belive! they hear daily all this nice promisses from diffrend consultants and at the end they have nothing!
so i started to think the same! i want to see microsoft doing all the stuff they promisse. before i am not beliving a single word!
cheers
SteveB
Microsoft will be unable to build a working and reliable patch system because of three things:
1. They have a low quality codebase, so patching does not measureably improve it.
2. Microsoft doesn’t deep down believe in testing or fixing bugs.
3. It just doesn’t matter. It’s that big giant monopoly success trap. There is no need to fix bugs anymore. The market is locked in and bugs or no bugs, they aren’t going anywhere.
And I don’t have to say it so eloquently again (see moderated down comments), but Microsoft patches have a reputation for trashing your system.
Yeah, I thought so…I vaguely remember you mentioning the fact that patching a Sun is no frikkin picnic either and that is one of the things I was thinking about when I posted my comment.
Still, MSFT is working to improve their situation, as bad as it may be. Hopefully Sun will do the same.
Didn’t Debian come up with this years ago, only it was called apt-get?
yep, debian is great when it comes to patches. they test everything before they release it.
Microsoft tests its products rather throughly. There are several articles on the net about their testing methodologies. The real problems with their products come down to two factors.
1) They’re so widely used, the have to support a much more extensive set of configurations.
2) They’re code suffers from some fundemental design mistakes. Windows is far too monolithic. While some people complain that Linux suffers from “too many layers” its actually just a testament to the modularity and proper architecture of the whole system. Every piece (the kernel, the glibc, xfree, qt, gtk) are seperate, with clearly defined interfaces between them. In Windows, a huge amount of code runs in kernel space, there are all sorts of legacy and compatibility hacks to deal with, and regular interfaces are broken by private APIs and direct access “features.”
Windows, Office, and all other Microsoft products (with the possible exception of SQL Server) are riddled with bugs. And I mean far more bugs than competing products.
By “testing” I don’t just mean “we tested it and there’s lots of bugs”. I mean “we tested it, found these bugs, and we’re going to fix the bugs” before the software goes out the door.
If you think about a low quality codebase — which is what many Microsoft products suffer from — there is no way to rapidly improve the quality of such a codebase. There is no way to fully test such a codebase.
Microsoft has tons of layers in their software. AND Microsoft has tons of hacks to go between the layers. There are tons of old API’s that need to be supported. And there are hundreds of hidden API’s which Microsoft uses that no one had access to for years. And a lot of code is poorly written as under Microsoft’s “pyramid” model of development, many low quality developers work on the product at the bottom of the pyramid.
So the problem is a messy and low quality codebase. To test such a codebase would be a serious undertaking.
Notice how you never hear about Microsoft testing their actual code (whitebox testing). You hear about some giant datacenter and lots of machines.
This is because Microsoft likes to make a show of testing more than they like to get their hands dirty and do real testing.
Only if Gates went in on a rampage and told his OS and Apps teams to get their shit together would any sort of real testing happen. Otherwise, the Microsoft culture has never been to fix bugs.
Even when it comes to blackbox testing, Windows has far more bugs than it should. How many focus problems remain in Windows & Microsoft apps? How many compatibility problems are there between Outlook XP and plug-ins? Tons.
So far, Microsoft has not impressed with me quality. Sure the OS works on many hardware configurations. And that is a real accomplishment. However on many of these configurations, the OS does not work 100%. That means that there are serious holes in testing, for thorough testing would catch problems like that.
Anyhow, I have no power over this issue. Microsoft will do as they do. As a monopoly of vast power, they are beholden to no one.
Hehehe…Gentoo calls theirs “emerge”. Who said penguins aren’t smart?
“I would be curious to know who is currently handling patch management any better than MSFT does?”
Debian’s apt system really rocks when coming to patch management. Just do an apt-get update ; apt-get upgrade and it will update&patch the whole system, _including_ all programs installed with it.
“WU, MBSA, SUS, and the SUS Feature Pack for SMS”
as if we don’t already have enough abbreviations to deal with!
“I would be curious to know who is currently handling patch management any better than MSFT does? ”
Hmmmm, I wonder … whoooo?
http://www.apple.com/server/macosx/netboot.html
“While Network Install lets you manage your network effectively by controlling the distribution of software to network clients, NetBoot works on a slightly different principle. With NetBoot, all of the clients on the network actually start up from a single disk image on the server rather than system software on their hard disk drives. That lets you create a standard desktop configuration and use it on every computer in a workgroup, classroom, lab, or network. ”
“…update an entire workgroup by updating a single disk image …”
My point wasn’t who does patch management better or worse. It was that so much of it needs to be done that it HAS to have management systems! And replacements of management systems. And systems to manage systems. Etc. I don’t want to get back into that discussion about “it’s impossible to eliminate all bugs” and all that. My point is: if the product needs so much management of just the corrections to the few problems they address on a regular basis… holy hell, that’s one nasty product that needs redesign from the basement on up.
Am I making my point clearly enough? If you have to put so much effort into maintaining a house built on swamp land, then maybe the lesson to be learned is “don’t build a house on swamp land!”
Michael’s comment was entirely justified. The only reason I agree it should be modded down is the swearing. Everything else he said is valid. Especially the part about MS being fond of making announcements but not interested in actually changing anything. For example: when WinME came out, MS made this big fuss about how they were eliminating legacy from their OSes. This was, I believe, the time when legacy and such was a big stink in the media, thanks to Be’s comments about why their OS was good (no legacy). So MS claimed to be eliminating all kinds of legacy in WinME. The reality was that they were disabling DOS mode. Nothing else changed. They just lightly painted over the stain and pretended it wasn’t there any more. Look in your Windows XP registry. There is still crap in there that serves no purpose but to make the registry bigger (as if we needed it to get any bigger). Seen the “Windows 3.1 Transition” entry?
(the registry is Microsoft’s best worst invention since drive letters)
If Microsoft really cared about providing a good, stable, fast and complete system with great security, they would start from the ground and work their way up to the top completely re-engineering the OS and would change almost everything. But they don’t need to. All they need to do is put another bandaid on the puss filled sore and sell you the update. The improvements they’ve made over the years are the bare minimum just to help cover their butts against the current “it’s politically correct to bash MS” attitude. There’s little motivation for them to do any real work at all.
Sure XP is better by leaps and bounds compared to Windows 95. It had better be, considering how much money and time has flowed under Microsoft’s bridge.