Automatic Updates on Servers

[gog20007]

I would like to know what others are doing for server updates. Is it acceptable or considered "best practice" to allow servers to automatically download and install updates from Microsoft?

 

[58sniper]

Download - yes. Install - no. You don't want your servers rebooting during the middle of the day.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[monsterjta]

Sure, you don't want your servers rebooting during production hours. However, you can control the reboot day/time with group policy. Essentially, you can download and install the updates any time and reboot the servers, say, Sunday @ 2am or something like that.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[58sniper]

The problem with auto installing is that some updates will stop/restart services. You don't want that happening on critical business apps during business hours.

Additionally, the time between the update installation and the reboot is a time when some parts of your server are only partially updated. I wouldn't recommend leaving a server like that for anything more than a few minutes.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[monsterjta]

The problem with auto installing is that some updates will stop/restart services

Again, that's why one would do this during non-production hours. If you are an administrator and want to manually install updates at some odd hour on a weekend, that's your choice.

the time between the update installation and the reboot is a time when some parts of your server are only partially updated. I wouldn't recommend leaving a server like that for anything more than a few minutes.

Once again, that's why one would want to controll the installation and reboot time with policy.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[crobin1]

Of course, the other problem with automatic updates is that they sometimes break the thing they were trying to fix, or break some other unrelated piece. Unless it's some ultra-critical zero-day exploit I prefer to wait at least a day or two to watch for reports of things breaking.

 

[gog20007]

Thanks for the replies.
Not too long ago I would not install a Microsoft patch until it was "proven" in the field. In fact, I still feel that way today.
One of my co-workers thinks that it is OK to automatically download and install patches everyday at 3:00am on servers. His arguement is that when he does them manually he takes whatever is pushed down to him anyway so what is the difference?
Is the patching process for Microsoft servers good enough that we dont need to babysit it and just let it run on its own?

 

[porkchopexpress]

I would always test patches on your setup first if possible as there can always be issues with third party software when MS make a change to the OS. Generally though MS patches really are extensively tested these days and i rarely have any problems and most are niggles, of course you hear of some places having issues but there are millions of Windows servers our there so there will always be a few.