We tested the first public beta of Windows Update Services and found that it's a definite improvement over Software Update Services, the product it replaces. And it presents a credible alternative to existing patch management products such as BigFix and PatchLink for cost-conscious, Windows-only shops.

The software, slated to ship in the first half of this year, includes a brand-new reporting module. It lets administrators configure patch profiles based on groups of computers. It also lets administrators patch additional Microsoft programs, such as Office, Exchange, SQL Server and Microsoft Data Engine, running on Windows machines.

The agent software required for WUS to function properly is included in Windows 2000 (starting in SP3), XP and 2003. This relieves the administrator from having to deploy and manage a separate agent.

However, Microsoft needs to push patch support for third-party products - with Adobe Acrobat and RealPlayer being prime examples - and custom patch deployments into WUS to compete even more directly with other patching products on the market.

One of the most common complaints about SUS was that it didn't include any reporting capabilities. WUS's reporting module offers basic functionality, such as the ability to view and print reports on update status, synchronization results and configuration settings. Update status reports list information by patch and can be generated based on the approved action for a patch (install, detect, remove) and by computer group.

We tested how well WUS could report on the status of installed updates in our Infrastructure Server group (see "How we did it"), but found it difficult to quickly identify which patches were deployed to each computer. We would like to see the reporting module expanded with additional options, such as the ability to generate reports by computer, by updates that have been installed/removed in a selected time period and by updates that have been installed/removed for each product group.

WUS also adds grouping functionality. Computers now can be assigned to groups, providing the ability to define different patch baseline and deployment policies for different sets of computers. For example, you now can have different policies for your servers and your end-user workstations all administered from one WUS server. In the past, you needed two separate SUS servers.