• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 151
  • Last Modified:

Windows security patches standard procedure?

Hi Guys,
I would like to know best practice of installing windows updates on production SQL/Web servers. We have Windows 2000 Advanced servers installed on 10 servers. Should auto download from WSUS and auto install be set and reboot the machine in maintenance window or auto download and manual install in maint window? What is the best practice before installing these updates meaning are these updates supposed to be tested before applying to production?
Please provide some details. Thanks
0
Rainbow002
Asked:
Rainbow002
  • 2
2 Solutions
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
If you tested them before applying to production environment, then you should apply it at the best time you can find without interfering with normal work day. And check if no jobs are running too.
I usually use SMS to apply security patches during the night, but if you don't have SMS then you must install it manually.

Good luck
0
 
chuck-williamsCommented:
If you tested the patches then you can set WSUS and group policy to install and reboot the servers. I currently use that in a production environment and use two policies to update and reboot two sets of servers (using different update groups)  at different times. I have not had any problems with that as of yet since I test my patches ahead too.
0
 
Rainbow002Author Commented:
Since, there won't be any service pack or major enhancement coming from MS, is it still a best practice to test?
0
 
chuck-williamsCommented:
I usually only test service packs and major upgrades (like IE7). I dont test every single patch and usually wait until about a week after they come out to approve them. Usually by that time if there is a bug in the patch microsoft has replaced it. When it comes to service packs becuase of our large environment it may take us up to 6 months before we deploy those due to many different departments with different applications.

I DO NOT recomment automatically approving patches through WSUS. I approve all of the manually. Takes 5 minutes out of your week. If you stay on top of them by approving at least once a week you should be able to stay up to date before any vulnerabilty is exploited.

Hope that helps.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now