Microsoft Patch Plans Lack A One-Stop Update Service

Bill Gates says Microsoft will unveil a one-stop update service in March dubbed Microsoft Update, but analysts aren't convinced.
Bill Gates said Tuesday that Microsoft would unveil a one-stop update service in March dubbed Microsoft Update, but analysts aren't convinced that the Redmond, Wash.-based developer's done all it can to consolidate the patching problem.

During a keynote presentation, Gates promised that the various update mechanisms and sites for Windows, Office, Exchange, and SQL Server would be combined into a single update center using just one scanner to probe systems to determine which updates were needed.

"We beta this new infrastructure starting in March to simplify things," said Gates during his speech. According to Gates, each distinct user group -- consumers, small businesses, and enterprises -- will have its own interface to this single update center. Consumers, for instance, will access it through Automatic Update, while enterprises will via Systems Management Server.

But while Michael Cherry, a senior analyst at Directions on Microsoft, applauded the move, he was left wondering just exactly what was in the offing.

"What should have been a very simple announcement got very confusing," Cherry said. "I had the understanding that this work was almost done and was already in beta as part of Windows Update Service. But then Gates made it sound as if it was just going into beta.

"I tell you, I was left a little confused."

Windows Update Service, which until 2004 was called Software Update Services 2.0, and Microsoft Update Service, were both delayed in July 2004, by Microsoft, which cited a need to wrap up a new Windows Update (not to be confused with Windows Update Service) last fall when it shipped Windows XP SP2.

At that time, Microsoft executives, including Mike Nash, the company's chief security officer, said that the single service would debut in mid-2005.

"All I want to do is go to just one site to get updates," said Directions' Cherry.

Cherry had expected that Microsoft would simplify its entire update infrastructure, including reducing the number of patch installation technologies and consolidating update sites.

Part of that chore is done, since Microsoft has dropped the number of installation mechanisms from about eight two years ago to just two today. But Cherry still sees problem signs.

"I think they're starting to simplify things -- especially the Windows group -- but I'm not convinced that other parts of the company are on the same page. If we're going to have a single site, which is still important, that users can go to keep their machines secure, then all the parts of Microsoft have to follow the same playbook."

He sees evidence to the contrary. In January, for instance, Microsoft posted an update to Exchange Server 2003 that makes it less likely for hackers and spammers to target such servers with Directory Harvest Attacks (DHAs), the brute-force searches for valid e-mail addresses.

"Microsoft never put out a security bulletin associated with this," said Cherry. "You'd think it would have rated one." He sees work ahead for Microsoft before it can really claim a single update spot for all its operating system and application software. Too many times, he said, users still have to resort to sniffing out Knowledge Base articles or cruising Microsoft's various download locales to find out what needs updating.

"I still see problems," he said. "I always thought it was about combining the separate Windows Update with Office Update and then the download sites."

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
Shane Snider, Senior Writer, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Edwards, Technology Journalist & Author