Microsoft’s delivery of patch tools slips again

Corporate customers who anticipate the springtime release of upgrades to Microsoft’s no-cost patch management software have some disappointment ahead: They will not only have to wait till later in the year but also might have to upgrade their systems to use it.

LAS VEGAS – Corporate customers who anticipate the springtime release of upgrades to Microsoft’s no-cost patch management software have some disappointment ahead: They will not only have to wait till later in the year but also might have to upgrade their systems to use it.

At its annual Management Summit last week, Microsoft renamed its Software Update Services (SUS) 2.0 to Windows Update Services (WUS) and said the ship date could slip by up to seven months. WUS is a free, server-based application for downloading and deploying patches.

Last November, Microsoft promised a May ship date for its new patch technologies, including WUS, new installers and one Web site to download patches.

Many were expecting the first beta of SUS 2.0 last week after already experiencing two delays, but Microsoft only gave them a name change and provided just 50 to 60 customers with preview software. A public beta now is slated for this summer.

The WUS server component will only support machines running Windows 2000 Service Pack 4 or higher; Windows Server 2003; Internet Information Services 5.5 and higher; and SQL Server 2000 SP 3 and higher, SQL Server 2003 or SQL Server Desktop Engine 2000. The WUS client, which is needed to communicate to the server, supports Windows 2000 Server and Professional SP4 and higher, Windows Server 2003 and Windows XP. And while WUS will add support for Exchange, SQL Server and Office patches, the initial support only includes current versions of those applications. Older versions will be added by the end of the year, Microsoft said. On the operating system side, it supports patches for Windows 2000 Server and Professional SP 3 or higher, Windows Server 2003 and Windows XP. 

“I was a bit disappointed with the delay,” says John Mercer, senior technical analyst with General Mills in Minneapolis. Mercer, who runs SUS 1.0 and Microsoft’s licensed patch and configuration management platform Systems Management Server 2003, says he is eagerly anticipating new deployment controls within WUS.

“WUS hits a good percentage of our machines, and it is easier to manage. SMS takes a lot more configuration to make it work right,” he says.

WUS is fostering other considerations.

“My concern is you have to have your machines at a certain state, which is Windows 2000 SP 4,” says Coby Gurr, network engineer for the Utah Army National Guard. “I don’t have all my systems at that level.” He also noted lack of support for Windows NT 4, a product that will lose security hot-fix support on Dec. 31.

Microsoft has heard all the complaints, but while the company scrambles to release new tools, it wants to ensure they are part of one set of technologies that will foster a consistency among its patch management tools that does not exist today.

In the future, WUS is expected to become a part of the Windows operating system, likely with the Longhorn server version expected to ship in 2007.

“The way we want to build it is you have Windows Server, which is the core infrastructure and is the thing that deploys, scans and checks and makes sure everything happened,” says Steve Anderson, director of Windows server marketing for Microsoft.

The forthcoming version of WUS also will include an API that will let third-party management and patch tools plug into that engine so patch deployment is consistent regardless of other tools that might be used.

In 2006, Microsoft says it will integrate WUS directly into SMS, making it the deployment engine for the licensed product. That will let corporations run a combination of WUS and SMS without some of the inconsistencies that plague users today. And it will let users run other management software to patch Windows systems without having to deploy SMS.

The two most notable inconsistencies today are the separate scanning engines in Microsoft Baseline Security Analyzer (MBSA) and HFNetChk that often deliver differing results on whether a patch is installed or not, and different technologies for cataloging patches, updates and service packs in WUS and SMS.

Microsoft is developing a scanning engine that will be in WUS to replace the engines it now licenses from Shavlik Technologies for MBSA and HFNetChk. The WUS scanning will be used in MBSA 2.0, which will ship when WUS does. Microsoft also is developing one catalog technology for use in both WUS and SMS.

That comes on top of already announced plans to reduce the number of patch installers from eight to two and to consolidate existing sites into one site on the Internet to download patches.

That site will put one interface on Windows Update, which today provides Windows patches for consumers and businesses, and the forthcoming Microsoft Update, which will provide all other product patches for customers that opt into the service.

Microsoft also is contemplating developing a simplified version of SMS that could plug into the patch deployment capabilities being built into Windows. It would be comparable to the Microsoft Operations Manager Express, which was introduced last week and forces limits on the scope of its use.

The idea of getting SMS in widespread use is being pushed by some observers.

“Microsoft should almost give away SMS,” says Peter Pawlak, an analyst with Directions on Microsoft, an independent research firm. “It is in Microsoft’s best interest to get everyone up on the current patches and to help roll out new versions of products.”