Last week at the Microsoft Management Summit (MMS) 2004 in Las Vegas, Nevada, Microsoft unveiled its next-generation Software Update Services (SUS) 2.0 server application, which the company has renamed Windows Update Services (WUS, presumably pronounced "woos"). WUS is the latest in a long line of out-of-band (OOB) updates to Windows Server 2003, which Microsoft now calls feature packs. For small and midsized businesses, this release will likely be one of the most important updates the company could make to Windows 2003. And like many Windows 2003 feature packs, WUS will be free to customers, adding to its value.
Like its predecessor, WUS is a patch-deployment and system update management server that sits on top of Windows Server. From a product-positioning standpoint, WUS sits between Windows Update and Microsoft System Management Server (SMS). Windows Update is designed for individuals and small businesses, and the next version of this manually triggered, Web-based service will debut alongside Windows XP Service Pack 2 (SP2) in May or June, offering a simplified UI and easier access to critical updates. At the other end of the spectrum, SMS is Microsoft's full-blown patch management solution, aimed at midsized businesses and global enterprises. WUS offers many of SMS's patch-deployment capabilities along with the simplicity of Windows Update. Microsoft will likely include WUS as part of the next Windows Server version, currently dubbed Windows Server 2003 R2 and due in the first half of 2005.
These three products--along with its other patch-management solutions, such as Automatic Updates and the Microsoft Baseline Security Analyzer (MBSA)--form the outward-looking portion of Microsoft's patch-management strategy. Unlike the current situation, all these products will soon use the same database back end, meaning that patch queries from different tools on the same system will yield the same results. The products will also take advantage of deep-seated technological improvements, including a new feature called Delta patching. Under the current scheme, tools such as Windows Update and SUS examine your system, determine which patches you need, and download them in total. However, these downloads are often quite large. Beginning in mid-2004, patch downloads from Windows Update and WUS will use Delta patching technology to not only download just the files you need but to also download just the parts of the files you need, thereby keeping the downloads as small and fast moving as possible. These patch-management solutions will also take advantage of priority patching to ensure that your system downloads and installs the most crucial updates before less-important patches. So when the next virus outbreak hits, Windows users will immediately be protected.
WUS offers some major improvements over SUS. WUS lets you subscribe to specific patch downloads, so an office in one location might download only the specific Windows, Microsoft Office, and Microsoft Exchange Server updates it requires; a second office in another location might also download Microsoft SQL Server patches. SUS doesn't let administrators target patch deployments so that crucial business systems (e.g., outward-facing servers) are updated first, but WUS fixes this limitation . Now, you can target groups by using either Active Directory (AD) organizational units (OUs) or manually created machine target groups if you don't use AD. Microsoft is supplying a scripting interface to automate this targeting process.
In a nod to slightly larger companies that maintain physically separated servers but don't want to upgrade to SMS, Microsoft has also imbued WUS with the ability to scale out, with a new notion of parent and child WUS servers in which child servers receive specific updates from parent servers and supply them to machine groups. You can set bandwidth-throttling rules to ensure that WUS doesn't flood your network during the business day or open the flood gates at 3:00 A.M.
Finally, WUS will include a basic reporting engine, which will let administrators receive automated at-a-glance status reports at specified intervals explaining whether all machines were patched. Microsoft isn't supporting ad hoc reporting with WUS 1.0, however. "That's a more complex task," Steve Anderson, director of marketing for Windows Server at Microsoft, said. Anderson says ad hoc reporting is one area in which SMS will add value for businesses interested in automating patch management.
I've only begun to look at early WUS beta code, but from what I can see, WUS is going to be a major release that all Windows shops should evaluate as soon as possible. Indeed, that's the product's biggest problem: Because of the lengthened development cycle of XP SP2, which includes the Windows Update upgrade that WUS and other patch-management tools rely on, WUS has taken far longer to come to market than originally planned. WUS is set for a late 2004 release. However, you can get your hands on WUS more quickly than that by signing up for the WUS Open Evaluation Program at the Microsoft Web site ( http://www.microsoft.com/windowsserversystem/sus/wusbeta.mspx ) and you'll receive a beta version of the product sometime this summer. A private beta for the product just began, according to testers I've contacted.
As Microsoft customers, we're no strangers to longer-than-anticipated product releases, but this is one bit of software that will likely be worth the wait. I'll report back after I've spent more time with WUS.