On October 1, 2003 Microsoft rolled out their now infamous program to push security updates to PCs and organizations every first Tuesday of every month. Hate it or love it, Microsoft realized a growing security issue with its products and quickly instituted a process that has lasted for 10 years.
Patch Tuesday has been renamed to Black Tuesday by many. Even though patches are released on the first Tuesday, those responsible for distributing the updates through the company understand that the process generally takes 3-4 weeks to complete. For smaller organizations, this task ensures a single individual retains employment, and in larger companies teams are put together to help guarantee the company's assets are patched and secure. Patching is painful for IT Pros, for sure, and takes a dedicated soul to get it right.
Since that first Patch Tuesday, Microsoft has developed automated solutions to help manage and distribute security updates. System Center Configuration Manager (Systems Management Server [SMS] at the time) and WSUS (SUS at the time) are still instrumental today for allowing IT Pros to better automate the process for deploying updates. Downloading, testing, testing again, piloting, reporting and finally deploying takes late nights and weekends even with automated solutions. So, if anyone deserves cake it's the IT Pros that have had to suffer through the past 10 years of updates that didn't all work the first time from Microsoft.
The 10thanniversary of Patch Tuesday makes me particularly a little misty-eyed. Not only have I been involved with patching over the years, but I was commissioned to write the very first Patch Management Guide for Microsoft. For a couple months we developed processes and guidance for delivering timely updates and finally produced a workable document that was the first of its kind – for any vendor. So, yeah, some of the blame could be heaped on me.
So, happy birthday Patch Tuesday.
Here's some resources to help relive the history…
- Bill Gates' memo on Trustworthy Computing – January 15, 2002
- The Microsoft Press release on Improving the Path Experience – in the press release, Microsoft's now exiting CEO said: "Our goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks."
- The TechNet Article describing the process – October 1, 2003
- The VERY first Microsoft Security Bulletin – published Tuesday, October 14, 2003