Patch management is one of the biggest problems facing Microsoft's enterprise customers today, primarily because the company's many products all have their own tools and methods for providing software updates. The bewildering number of product revisions, language versions, and other product differentiators--many of which require the company to issue multiple patches for the same vulnerabilities--exacerbate the problem. And because many of Microsoft's tools use different patch infrastructures, customers often see different results when they use products such as Microsoft Windows Update, Microsoft Baseline Security Analyzer (MBSA), Microsoft Software Update Services (SUS), and Microsoft Systems Management Server (SMS) with the SMS SUS Feature Pack. To fix these problems, the company is overhauling its patch-management infrastructure and will unleash a new generation of patch-management tools as soon as early 2004.
Today, Microsoft's patch-management solutions are, well, patchy at best. The company admits that it often provides incomplete and inaccurate patch information; uses inadequate assessment and deployment tools, which produce an inconsistent patch experience because of the range of installer types the company uses; and produces poor-quality patches. The latter point is a tough spot for Microsoft, which must walk the line between delivering high-quality patches and delivering patches quickly. Changes to the underlying infrastructure should help the company do both.
To address these patch-management problems, Microsoft is creating a new, centralized patch-management architecture that it will use for all its products. Then, the company will build new versions of Windows Update, MBSA, SUS, and the SMS SUS Feature Pack around this infrastructure. Microsoft has been discussing centralized patch management for years, but it always seemed like pie-in-the-sky functionality. Now, though, the company plans to provide these tools to customers in early 2004--much earlier than I had previously expected. (At an early June reviewer's workshop for Microsoft Exchange Server 2003, the company noted that Kodiak, the next major Exchange version, will integrate with Windows Update, which led me to believe that the centralized architecture was still some years away because Kodiak isn't due until 2006 to 2007.)
From a scheduling standpoint, Microsoft has many patch-management milestones in the months ahead. Later this month, the company will standardize its Knowledge Base articles, making them easier to read, and will release a new version of the Microsoft.com Search tool that will be geared toward searching for security patches, which the company says is the number-one reason customers visit the site. Also in July, Microsoft will release updated best-practices guides for patch management. In first quarter 2004, Microsoft will deliver its common-patch architecture, update its patch installers, and release a new version of Windows Update that's geared toward all Microsoft products. In second quarter 2004, Microsoft will upgrade MBSA, SUS, and SMS 2003 to work with this new architecture. In late 2004, Microsoft will convert from eight patch-installer types to just two (Windows Installer--MSI--3.0 and Update.exe), and in early 2005 the company will move to a common-patch distribution infrastructure with the release of SMS 2005, Microsoft System Center, and a new SUS version.