Windows Update Services (WUS) is the successor to Microsoft Software Update Services (SUS) and the application Microsoft previously referred to as SUS 2.0. Essentially a free Windows Server add-on that lets small and midsized businesses easily handle patch management for servers and clients, WUS is one of the most exciting out-of-band (OOB) Windows Server upgrades Microsoft has shipped since Windows Server 2003 debuted in April 2003. The product's functionality sits between that of Windows Update and Microsoft Update (a new service that the company will soon introduce), which are designed for individual users, and Microsoft Systems Management Server (SMS) 2003, which is aimed at high-end enterprises. The company also offers a fourth patch-management product, Microsoft Baseline Security Analyzer (MBSA), which can help individuals but is designed to let third-party developers create their own patch-management systems. Here's what you need to know about WUS.
A New Back End
Microsoft's patch-management strategy has been evolving steadily since early last year, when the company finally acknowledged that it was doing a poor job of helping customers keep their products up-to-date easily and seamlessly. However, before Microsoft could ship any new patch-management products, the company had to fix the infrastructure. Its existing products—Windows Update, SMS, MBSA, and SUS 1.x—all use different database back ends. As a result, these products often deliver varying results, even when run on the same systems. Microsoft says that work on a common patch-management back end started in 2003 and will continue through summer 2004, culminating in the releases of MBSA 2.0 and WUS in third quarter 2004. By that time, all Microsoft's patch-management tools will point to the same back end and provide consistent results.
Also helping WUS is the move from several patch-installer routines to just two, both of which will be based on the new Windows Installer (MSI) 3.0 technology, which provides for patches with far fewer reboots, new uninstallation capabilities, and massive patch-size reductions. And a new delta compression scheme will eventually make MSI 3.0—based patches as much as 90 percent smaller than equivalent patches released today, according to Microsoft.
In addition to a new name, WUS sports a wide range of desirable new features. Like earlier SUS versions, WUS provides businesses with a centralized patch-management infrastructure, which lets administrators approve then roll out patches to desktops and servers. WUS adds new content download types—including patches for Microsoft Office, SQL Server, and Exchange Server—to the previously supported Windows updates and service packs. WUS includes improved targeting capabilities that let administrators take advantage of organizational units (OUs) in Active Directory (AD) environments or manually created groups in workgroups to roll out patches to the most crucial systems first. The new service also includes bandwidth-management capabilities that let you control patch delivery during peak business hours so that you can ensure your networks won't be overloaded during crucial periods.
Thanks to a new topology scheme that supports parent and child WUS servers, WUS scales out more effectively than SUS, opening up this patching solution to distributed environments for the first time. If you're wondering how well WUS scales out, consider this: WUS is based on the same technology that Microsoft uses to run Windows Update, so it's proven to be both scalable and reliable. And now WUS can generate simple reports detailing key patch-management tasks (e.g., notifying you whether all your target groups received and installed the updates) and status reports. Unlike the more powerful SMS, however, WUS doesn't support ad hoc queries, which Microsoft describes as a more complex feature.
One feature that won't be changing is the price—none. Contrary to rumors, and despite all the powerful new features, WUS continues to be a free component of Windows Server.
How It Works
Behind the scenes, WUS includes a built-in Microsoft Data Engine (MSDE)—based database, but larger enterprises can use SQL Server for better performance. This database, called the WUS Catalog, connects to Windows Update, captures metadata about available patches, and stores the information locally. The metadata describes each patch, explains which systems it applies to, describes its dependencies, and provides other useful information. Locally, administrators can schedule patch deployment, test patches before deploying, and determine which systems should receive patches first.
Windows clients in the network are configured to go to the local WUS database rather than to global Windows Update servers. Clients accessing the WUS Catalog pull metadata, perform a scan against the system, and report back to WUS about which patches they need. "It's a basic pull architecture," Steve Anderson, director of marketing for Windows Server, said. "It tells the server, 'Here's what I need.'"
And on Windows XP Service Pack 2 (SP2) systems, WUS supports a new feature called install on shutdown. This feature lets Windows systems automatically install reboot-required patches as the system shuts down, ensuring that work isn't interrupted and the system reboots into a patched state.
Unless you're already using SMS or a third-party patch-management solution, you should evaluate WUS as soon as it's publicly available. Microsoft will ship beta versions of the product this summer and release the final version sometime in the fall. By that time, the company's overhauled patch-management infrastructure will be in place, and all of its patch-management tools will be working through a common back end as well. If you've been struggling with confusing, contradictory, and incomplete patch management on your Windows systems, rejoice. If Microsoft gets this release right—and early indications are that it will—your patch-management nightmare could be ending.