For the past 5 years, Microsoft has made a policy of releasing non-emergency patches and security fixes on the first Tuesday of the month. The idea is to limit the frequency and standardize the interval at which organizations — especially, larger ones that must pick up, test, and decide whether or not to deploy these things within their in-house infrastructures — must deal with changes and additions to Microsoft operating systems, platforms, and applications. It’s a good idea, and a useful way to help manage the ceaseless flow of patches, fixes, and changes to an always-shifting software landscape.
TechRepublic blogger Justin James makes an interesting observation in his “It’s Microsoft Patch Tuesday: December 2009” blog, however. He observes quite correctly that Microsoft has started to release some of its security patches labeled as “nonsecurity patches” which flies in the face of group policy or Windows Server Update Server (WSUS) settings to push critical security updates quickly onto corporate networks, while moving other updates thorugh a more measured test and deploy cycle. Any time labeling is incorrect, automation based on such labeling can fall prey to various errors or failures in deployment as well.
Also, James observes that there has been an increasing tendency for MS to release more patches and updates on the fourth Tuesday of each month, as well as the first Tuesday. A quick look back at the updates that MS has released shows that some update activity has occurred in four out of the past five months on that day of the month — something I hadn’t noticed until James shared that observation.
He admonishes Microsoft to return to their standard practice, and to limit its updates to Patch Tuesday except for critical security updates with potentially damaging or dangerous consequences. I concur. What do you think? Post a comment here, and let me know…