[Dshield] Microsoft patches

Ed Truitt ed.truitt at etee2k.net
Tue Oct 21 12:08:43 GMT 2003

On Mon, Oct 20, 2003 at 08:51:00AM -0500, Bob Savage wrote:
> I have not yet had any problems with Microsoft patches, security updates, or service packs.
> I know a lot of folks have big problems with the updates.  Am I the only one that's found them trouble free?  Are there things we all could take to make them easier and smoother?  Again, the point is not to defend MS or to criticize anyone else.    Just wondering if given what we have to work with if there are things we could do to make our jobs easier.

My experience:  on the home networks (I support 3 XP/Home boxes, at 3 residences, + 2 RHL at my place) I haven't had any problems w/ MSFT patches.  I tend to run "default" environments at home, which keeps things uncomplicated.  Uncomplicated == a better chance these patches will not break the system, IMHO.  However, I have had several cases where putting the patches on the RHL boxes broke things:  in one case, a kernel patch rendered the system unbootable.  Fortunately, I kept a backlevel boot floppy, which saved my tail feathers!  

(Side note:  IMNSHO, I feel current OS design and operational/management procedures are far too complex for the average home user, who expects a PC to work like a toaster or a TV.  I feel the Next Big Thing for the unemployed dot-commies has something to do with managing this vast herd of home systems.  However, I still haven't figured out the business end of things - how much to charge, what services to provide, etc. etc. etc.  I am, however, thinking about it.)

As to the work environment:  we have a rather large shop (I work for a largish oil company) and have a lot of MSFT stuff.  We have had some very good success with emergency deployment of patches, but we have had some pretty spectacular failures, too (the original -026 patch killed a few boxes to the point they had to be rebuilt, and broke several application servers.)  However, we try to do as much QA testing before we deploy patches as we can.

When I used to do mainframe systems support (in the ancient times), I remember we got patch tapes on a monthly basis, and "hot fixes" (called PTFs in those days) as needed.  Of course, we also had access to the OS source code, and often found and fixed the bugs ourselves, then notified IBM and sent them the patch!  Every so often, a PTF (or even better, a ZAP fix) would work just dandy on the test machine, but when installed on the production system, would bring the box crashing to the ground, thereby generating a large quantity of meetings to determine just why it happened and who was responsible.  This normally occurred during the most critical time of the month - month-end close (for financial systems) or just before a big lease sale (for upstream E&P systems).

The moral of the story here:  we've had program bugs ever since we've had programs.  Test as thoroughly as you can (time permitting), deploy cautiously, always have a backout option.  Good system management practices, regardless of which OS you worship.

> On the other hand, I have a good friend who has a headache from time to time.  When offered an aspirin she'll always decline, explaining that if she took it the headache would go away and then she'd have nothing to complain about.  I'm also guilty of that approach sometimes!

That, to me, would be the definition of a masochist.  If I have a headache, and decide not to take an aspirin, it is because I am afraid it would come right back up, when the nausea hit.  I can ALWAYS find something to complain about ;-)

Edward D. (Ed) Truitt
email:  ed.truitt at etee2k.net      
"Note to spammers: my 'delete' key is connected to YOUR ISP. 
Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."

More information about the list mailing list