NewsReviewsOpinionsCase StudiesResearchToolsDiscussions
Home > Opinion > Livingston > Microsoft's Patch-A-Month Club

Brian Livingston  
Microsoft's Patch-A-Month Club
By Brian Livingston

Reader David Plaut has a ready response to my recent Known Issues columns about Microsoft security patches and the bandwidth they consume. "There's already a mechanism in place that doesn't use any bandwidth to distribute large files," Plaut writes. "Microsoft should partner with Time Warner to publish large patches on those ubiquitous America Online CDs."


Not a bad idea, David, but I'm not holding my breath. Microsoft, however, did recently make a serious change in the way it announces and releases security fixes, but it's unlikely to solve the bandwidth problem. Although Microsoft CEO Steve Ballmer publicly discussed this change at the company's Worldwide Partner Conference in New Orleans last month, the shift has not received nearly enough attention from the press, the public and enterprise IT professionals worldwide.

What's the big change? Microsoft now intends to issue its routine security patches and bulletins once a month, rather than as soon as each patch is ready for wide distribution.

We got a taste of this new regime when a single "bulletin summary," which described five new Windows security patches, was issued Oct. 15 (see Starting Nov. 11, the company says, patches will be released on the second Tuesday of every month in a single batch.

This means some patches won't come out until a few weeks after they're ready. For example, if a new patch is completed Nov. 10, it'll be issued Nov. 11. But a patch that's certified Nov. 12 will be held until the next bundle goes out Dec. 9. Finished patches, therefore, will be released an average of approximately two weeks later than they would be if patches were issued as soon as they were considered done.

In a statement on the new timetable, Microsoft says it will make exceptions and release some critical patches "as soon as possible." This would occur "if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities." I interpret this to mean that a patch will be released pronto if an exploit is running amok. But if that's not obviously the case, the release will wait until the second Tuesday (see

Despite the company's expressed intention to send desperately needed new patches out the door immediately, some experts are already skeptical of the delays that will inevitably result from a monthly release schedule.

"Whilst the move to monthly security alerts goes some way to simplifying patch management approaches, it is at the expense of network security," said Alan McGibbon, director of security company NetSecure, in a statement. "Businesses need relevant real-time information to be completely secure."

In my opinion, it's too soon to tell whether the second-Tuesday policy will make enterprises more secure or less so. That's up to Microsoft's customers.

It's obvious that IT professionals have been worn out by the onslaught of Microsoft security bulletins. The company released 72 security updates last year—almost one every five days. Burnout is why some 200,000 SQL Server systems were unpatched and wide open when the Slammer worm struck in January, even though Microsoft had issued a patch for the flaw six months earlier. Even Microsoft's servers hadn't all been upgraded, allowing Slammer to take down many of the company's hosts.

The crucial question is whether enterprise executives will devote a certain number of person-days per month to test and distribute whatever critical patches may come out. You should if Windows is your platform.

If many of you join the Patch-a-Month Club and devote the staff time this approach demands, patches might actually get into place much sooner than they did under Microsoft's rapid-release system. If not, the monthly cycle may simply represent another opportunity for users and administrators to join the Procrastinators Club.

Brian Livingston is editor of and co-author of "Windows Me Secrets" and nine other books. His column appears every other week in eWEEK. To send tips, visit Send your comments to

Print email

Ziff Davis PartnersitesZiff Davis Channel Zone

System Shopping Partners: Dell Business Systems | Dell Home Systems

  • 11/19 - Setting Your Portal Priorities with Frank Derfler. Sponsored by Vignette.
  • 11/20 - Enterprise Web Applications that Deliver with Frank Derfler. Sponsored by Vignette.
  • 12/09 - Mastering Enterprise Data Protection with Michael Krieger. Sponsored by VERITAS Software.

  • FREE Online Seminars presented by Intel Logo 

    Ziff Davis Channel Zone: The One-Stop Strategic Resource for the IT Reseller

    Introducing the Ziff Davis Channel Zone. Find the latest news, technology analysis, reviews and expert advice you need to effectively select products and market, sell and support technology solutions into businesses. Get the news on what's most impacting the channel and strategy pieces designed to identify opportunities and help grow revenue.

    Check out the Ziff Davis Channel Zone today!
    Time to get started on your holiday shopping! Find the BEST PRICES on the hottest tech products in eWEEK's Tech Shop.
  • PDAs
  • Flat Panel Displays
  • Desktops
  • Tablet PCs
  • Printers
  • More Tech Shop >>

      Tools Streamline Patch Management
      Windows Patches and the Dial-Up Problem
      Labs Answers Patch Management Questions
      Microsoft Must Steer 'Longhorn' in New Direction
      Unfriendly Updates

    Jump to Topic Center

    Mary Jo Foley
    Longhorn: Can Microsoft Deliver on Its Promises This Time?


    If Longhorn really doesn't debut until 2006, will you:

     Switch to Mac OS
     Switch to Linux desktop
     One word: Citrix

    Poll Archive >


    Procuri Acquires SupplierInsight

    SAP, Sybase Team Up on SMBs

    Sun Notches Linux Win With Chinese Gov't

    InfiniCon, Voltaire Roll Out New Switches

    AMD's Opteron to Power Sun Fire Servers

    Clash Over Flash Is Heating Up

    AMD Releases New Opterons

    View All >

    XML Want an easy way to keep up with breaking tech news? Get eWEEK headlines delivered to your desktop with RSS.