Patching systems shouldn’t be this difficult

With tools like the automatic updates client and Microsoft Update, keeping a modern Windows system up-to-date is pretty straightforward.

For those who have a network of computers to manage there are additional tools, like the Microsoft baseline security analyzer (which helps to identify if any patches are missing) and Windows software update services (which keeps a local copy of Microsoft update on one or more servers on a network).

It’s just taken me over two hours to patch a single computer running Sun Solaris 10 x86. Like Microsoft, Sun provides tools that assist enormously in the process, but honestly – two hours! First I had to install the Sun update connection software, then once I’d launched Update Manager, there were 53 updates to download and install (and that was just security patches and driver updates – Sun restricts access to certain patches to organisations with a service plan). After a very long reboot (whilst some of these patches were applied), there were still 15 more updates (probably a subset of the original 53). Then a further reboot (shorter this time), and I was up and running again.

In fairness, Windows updates often require restarts and it can take several visits to Microsoft Update before a system is fully patched but this was ridiculous.

Next time someone tells me that patching Windows is too difficult, my response is unlikely to be empathetic.

4 thoughts on “Patching systems shouldn’t be this difficult

  1. Mark,

    I can’t imagine someone ever telling you that patching Windows is difficult (shoot them if they do). Keeping up with patches, well ok, maybe I’d see that point.

    I don’t think that 2 hours is that long for 53 updates. I wish I had a virgin Windows OS sitting here to update. I would time it and report my findings after 53 patches downloaded and installed – I think it would be nearly the same amount of time. If I had the time to waste I would be willing to do it, but I have the Rolex 24 to go and visit today :)


  2. Chuck,

    Keeping up with Windows patches is easy – just enable the automatic updates client (no need to install anything).

    Given that I only downloaded my Solaris 10 x86 distro a few months back, it should be patched to a reasonable level – let’s say broadly equivalent to Windows XP SP2 (that gives Sun 18 months worth of updates to apply). The SP2 machine on which I’m writing this comment also has about 50 patches on, but when they needed a restart to take effect, the boot time was not increased significantly, so aside from the time spent rebooting, I could work on something else in parallel with applying updates. On the other hand, when the Solaris machine needs a restart to apply a patch, it adds a significant period of time to the boot sequence, during which my system is down (i.e. unavailable).

    I’m not starting a Windows vs. Unix war – I’m pretty sure that the statistics show a comparable number of vulnerabilities (and hence critical updates) – it’s just that it involved a significant effort to first install the update manager software and then apply all the patches (well, the ones that Sun would let me have access to anyway…).


  3. Chuck‘s comments got me thinking so, as I had to build a Windows XP machine tonight, I tested how long it took to patch from SP2 to fully updated (using Microsoft Update, similar hardware to my Solaris box and the same Internet connection).

    All that was involved was accessing the website, installing the Microsoft Update ActiveX control when prompted, then 3 updates to bring the installer to the current level (and a reboot) – that all took less than 5 minutes. I then returned to the site, where there were 35 high priority updates (plus 10 optional software updates and a single optional hardware update). Downloading and installing the high priority updates only took about 10 minutes (including a reboot). To round it all off, I returned to download and install the optional software updates (which, if this was my Solaris system, Sun wouldn’t have allowed me access to) – that took another 25 minutes (following which I needed another 5 minutes and a reboot to install a further 3 updates to the optional software that I’d applied).

    The total time taken for these 51 updates was about 45 minutes and 4 reboots (which included about 4 minutes of downtime whereas the Solaris patches that prompted the original post involved about 20 minutes of downtime). If, instead of using Microsoft Update, I’d left the Windows automatic updates client to its own devices, this would all have happened in the background with minimal user intervention.

  4. Mark,

    Thanks for taking the time to post the numbers. I searched the internet to find something to post but came up empty.

    I guess when it comes down to it, comparing the patch process between Sun and Microsoft is like the difference between a stick shift and an automatic. I’m sure that soon enough Sun will offer automatic (maybe they do – ya just have to pay for it). Maybe it’ll be manumatic :)


Leave a Reply