Get Ready To Patch

Installing patches to fix application and system flaws is still a major chore for businesses. With Microsoft's XP SP2, they face their biggest challenge.
Thermo Electron uses Microsoft's Software Update Services 1.0 tool (the predecessor to Windows Update Services) for patching at its headquarters, but remote locations continue to handle the job locally, so it's a challenge to get everything done quickly. "The problem is, you need a dedicated full-time person to write scripts and push the patches out there," security manager Kamens says. The company is deploying Systems Management Server 2003 to help, but at an estimated total cost of about $1 million, it won't be cheap. Even after predeployment testing, Kamens says, patches too often "break things." But it's something that has to be done--the risks of unpatched systems include worms and other threats, the data vulnerabilities and system snags associated with such threats, and potential liability, lost productivity, and other costs related to any security breaches. Thermo Electron's IT staff rolls out software updates to 800 servers once a month on a Sunday morning to minimize system downtime.

Companies of all sizes are grappling with the issue. Ajacs Die Sales Corp., a small distributor of tool-and-die components, has only VP of IT Steve Wierenga to patch its 22 PCs and four servers. "We have it under control," says Wierenga, who evaluates Microsoft's patches himself each month. "We're small enough that we can address an issue with a patch in short order if it causes a problem." At the other end of the spectrum, software vendor SupportSoft Inc. says one of its customers, a bank with 50,000 PCs, will have dozens of technicians testing the SP2 patch over several months.

SP2 ExpectationsStolt Sea Farm, a seafood company, takes a no-frills approach. The company's IT environment consists of 550 thin-client terminals and 50 Windows servers spread among locations in about a dozen countries. Because there are no desktop PCs to support and most of its software comes from Microsoft, the company's small IT staff is able to install patches within 24 hours--and it does so without any testing. "I would say we are very efficient," says systems administrator Terje Sorgjerd.

CIO Burdiss of Smurfit-Stone Container believes businesses need to master the nuts and bolts of patch management to focus IT resources on what really matters: delivering increased business value. "Before you can do governance and develop the value of IT to the business and all of the things we're trying to aspire to, you have to have some credibility," he says. "In my mind, the lights-on stuff has to work every time, and these patches can be counter to that."

The good news is that companies generally seem better prepared to deal with patches today than a year ago, using patch-management products from specialists such as PatchLink Corp. and Shavlik Technologies LLC and new capabilities from their primary software suppliers. For example, PeopleSoft Inc., which issues patches quarterly, has cut the number of manual steps required to find, download, and install patches and software updates from 49 to seven.

Better defined internal procedures at user companies are helping, too. As a result, the Yankee Group estimates costs have dropped to about $150 per patch for each PC, from about $250 last year. Companies are "better at it than they were 12 months ago," says Michael Cherry, an analyst with Directions On Microsoft. "But it still requires a considerable allocation of resources."

That will be especially true with SP2, which, at a minimum of 75 Mbytes per machine, promises to clog networks if not managed carefully. And once it's installed on PCs, help-desk administrators could see a spike in support calls as users grapple with nuances in the way Microsoft's Internet Explorer browser works with SP2 and other security-related changes. "It's going to cause as many problems as it fixes," predicts Simon King, SupportSoft's director of product marketing for enterprise solutions. "It's going to be a huge undertaking."

Microsoft group product manager Barry Goffe says the company is doing everything it can to help. In addition to the 100-page applications-compatibility document, it has already released a 200-page technical overview of SP2, a Solution Accelerator that provides guidance on how to load Windows XP SP2 onto a computer, and other documentation. Over the next few months, Microsoft plans to deliver the beta version of an applications-compatibility toolkit for SP2, which will automate some manual processes. And next year, improved patch management in the form of Windows Update Services should arrive.

It makes for quite a patch. The next few months will tell just how much companies have really improved at managing it all.

-- With Charles Babcock and Beth Bacheldor

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer