I have a new .NET web application that runs on Windows 2008 R2 (IIS) and SQL 2008 R2. I am planning to host it on Amazon AWS for a new customer.
They have asked me "Are there any standard outage windows used for upgrades and patching? If so, please detail the frequency of these and the duration."
A few questions:
1. What would you suggest is the best practice for applying Microsoft updates on a live customer facing web application? Review monthly and apply then if appropriate, but on demand if a more critical security patch comes out?
2. Is it best practice to apply all Microsoft (Windows & SQL) patches/updates always (after regression testing the app) or only select a specific subset of them based on some measurement?
Thanks for your help.