Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Patching Problems Expand / Collapse
Author
Message
Posted Monday, May 26, 2014 8:34 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 2:28 PM
Points: 33,062, Visits: 15,174
Comments posted to this topic are about the item Patching Problems






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1574634
Posted Tuesday, May 27, 2014 12:31 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, May 27, 2014 12:31 AM
Points: 1, Visits: 3
Hello, I wanted to write how we do patching of Microsoft CU in Client Servers.

My Company sells small and big servers as part of an industrial systems. Most of those are running isolated from the internet, with a VPN just established for maintenance purposes in a small timely window. In some of them we are obliged per contract to keep the system up to date.

We found a packager program for Microsoft Updates (not SQL updates, which we apply manually by Service Packs only). This packager is published on wsusoffline.net and needs a master machine to collect and prepare a package. This package can be transferred (we use 7zip for packing the provided subdirectories, and transfer them by FTP or USB to the client servers). There you run it.

Benefits: If I prepare such a package, and I test it on some reference machines, the risk of a bad patch in the rollout to the one hundred other servers is lowered. If I would use Online Microsoft Update, I would have to control manually that no other than the tested patches are installed on this machine. In my case this is granted by using the identical package. 7Zip seems to be safe enough to grant this.

Another benefit: The installer of that packages comes with the option to automatically reboot and proceed any time this is required by the update progress. There is no delay like a message waiting for confirmation at the console (which is not seen by anybody, because the servers mostly have a remote access only). Whenever the Windows Update requires a reboot, the package installer will instantly follow it. This reduces the time I have to monitor the server personally. I just login near the end of the agreed downtime, check, disconnect, and proceed hopefully to the next server.

On our reference machines at the office I can easily control the completeness of the offline procedure by running online updates right afterwards, and to note down the discrepancies. Each of such must have a reason. After that I am done for this months and all my important servers are patched. All unimportant servers will be patched on demand only, like twice per year. The risk for such rare patches is acceptable to most clients because of the isolation from the internet.

I hope this is a helpful procedure for other organizations also.
TAS
Post #1574663
Posted Tuesday, May 27, 2014 1:41 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:55 AM
Points: 5,180, Visits: 2,796
I think that SQL Server patches are just an example of a bigger issue that Microsoft appears to be attempting to resolve in a single way for all types of Windows OS installations. I am sure that they do this but they really need to look into the whole bunch of scenarios and provide relatively simple solutions for all of them. Sure, default to update as the fixes come, however, there needs to be a better management of patches and updates between the "as they come" and the "manually applied" strategies.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1574677
Posted Tuesday, May 27, 2014 7:34 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Today @ 6:25 AM
Points: 624, Visits: 1,590
If it's any consolation, patching in other OSes (Linux, xBSD) is both better and worse at the same time. Package management, testing and dependencies can still be a bloody mess at times. There's also a huge spectrum in the quality of software depending on the type of applications.
Post #1574782
Posted Tuesday, May 27, 2014 8:17 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, June 13, 2014 12:40 PM
Points: 461, Visits: 753
IMO Windows 8 is nothing more than Vista II. It is by far the worst OS I have seen them release. I know some people like it, but invariably those are people who for whatever reason are using a tablet.

Windows 8 sucks on a PC or laptop.

Case in point - I built a new PC from scratch. I followed Microsoft recommendations on using sysprep to move the users folder off the SSD that I spent significant money on. SSDs have a limited number of writes, and given how IE handles caching, and given that your OS drive is NOT typically large enough to store your data, it made sense.

That is, until MS released 8.1, which does NOT support upgrading any system that has been syspreped!

MS's response is that the Microsoft sysprep tool is not supported, even though it is a Microsoft product, pretty much all businesses use it, and there is no logical reason to not support it.

Thus began my current project of removing Windows from my life. Ubuntu, Mint, Fedora, RHEL, CentOS, all of these are far easier to install and manage. My then 6-year old can install software on Linux without worrying about infecting my network. Why would I want to overpay for an OS that is so bad the manufacturer doesn't support it under normal operating conditions.


Dave
Post #1574803
Posted Tuesday, May 27, 2014 8:33 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:55 AM
Points: 5,180, Visits: 2,796
djackson 22568 (5/27/2014)
IMO Windows 8 is nothing more than Vista II. It is by far the worst OS I have seen them release. I know some people like it, but invariably those are people who for whatever reason are using a tablet.

Windows 8 sucks on a PC or laptop.

Case in point - I built a new PC from scratch. I followed Microsoft recommendations on using sysprep to move the users folder off the SSD that I spent significant money on. SSDs have a limited number of writes, and given how IE handles caching, and given that your OS drive is NOT typically large enough to store your data, it made sense.

That is, until MS released 8.1, which does NOT support upgrading any system that has been syspreped!

MS's response is that the Microsoft sysprep tool is not supported, even though it is a Microsoft product, pretty much all businesses use it, and there is no logical reason to not support it.

Thus began my current project of removing Windows from my life. Ubuntu, Mint, Fedora, RHEL, CentOS, all of these are far easier to install and manage. My then 6-year old can install software on Linux without worrying about infecting my network. Why would I want to overpay for an OS that is so bad the manufacturer doesn't support it under normal operating conditions.


I agree that your sysprep issue is unacceptable. This will become an issue time and time again.

I just wanted to say that from a OS as a client point of view that I like it. I am using it on a laptop (without touchscreen) for development and have found it to be the best Windows OS so far.

I may eventually move off Windows but not until the majority of my clients do.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1574811
Posted Tuesday, May 27, 2014 9:28 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, June 13, 2014 12:40 PM
Points: 461, Visits: 753
Gary Varga (5/27/2014)
djackson 22568 (5/27/2014)
IMO Windows 8 is nothing more than Vista II. It is by far the worst OS I have seen them release. I know some people like it, but invariably those are people who for whatever reason are using a tablet.

Windows 8 sucks on a PC or laptop.

Case in point - I built a new PC from scratch. I followed Microsoft recommendations on using sysprep to move the users folder off the SSD that I spent significant money on. SSDs have a limited number of writes, and given how IE handles caching, and given that your OS drive is NOT typically large enough to store your data, it made sense.

That is, until MS released 8.1, which does NOT support upgrading any system that has been syspreped!

MS's response is that the Microsoft sysprep tool is not supported, even though it is a Microsoft product, pretty much all businesses use it, and there is no logical reason to not support it.

Thus began my current project of removing Windows from my life. Ubuntu, Mint, Fedora, RHEL, CentOS, all of these are far easier to install and manage. My then 6-year old can install software on Linux without worrying about infecting my network. Why would I want to overpay for an OS that is so bad the manufacturer doesn't support it under normal operating conditions.


I agree that your sysprep issue is unacceptable. This will become an issue time and time again.

I just wanted to say that from a OS as a client point of view that I like it. I am using it on a laptop (without touchscreen) for development and have found it to be the best Windows OS so far.

I may eventually move off Windows but not until the majority of my clients do.


I respect that you like it. I don't understand why, as the whole issue of removing the start button is just plain stupid if you don't have a touch screen. That said, each of us works differently, and if it works for you, that is a good thing. If I had a touch screen device with Windows, not that I can imagine ever wanting one given how much I love my iPads, I can see how the design might be better.

I still use it at home but only for apps that I can't replace yet in Linux.

One other thing I forgot to whine about, when I first built the machine it booted up in 5 seconds. Linux still boots that fast, but Windows now takes over 30 seconds. That has been an issue with Windows forever, every patch slows down the system even on an SSD.

Sigh.


Dave
Post #1574838
Posted Tuesday, May 27, 2014 9:53 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Yesterday @ 10:09 AM
Points: 400, Visits: 976
I use Win 8 and Win 7 at home and Win 8 at work. I don't have touch screens except on the Surface Pro I use. Win 8 is ok and I am as productive as on Win 7. The Sysprep issue is unfortunate, too bad M$ doesn't get it.
Post #1574858
Posted Tuesday, May 27, 2014 10:17 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Wednesday, July 16, 2014 1:27 PM
Points: 53, Visits: 400
We have SCCM control patch/update management. They are all (or should be) applied in the test and cert domains before release to production. Doing otherwise is a recipe for disaster.
Post #1574863
Posted Tuesday, May 27, 2014 4:37 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, May 27, 2014 4:37 PM
Points: 1, Visits: 2
Ultimately the balancing act and plate spinning magic that has to occur deep inside the labs in OS development companies should humble us so we may see more of this elusive science and better learn from the masters (in their realm) of our race.

It's up to us.

Most admins need very specific testing platforms that mimic target systems as near as possible in order to propagate ANY change to their production secured environments. To expect perfect updates assumes the update provider will test our specific configuration. The exposure or sharing of this most intimate internal systems architecture is more and more becoming a serious risk regarding many aspects requiring tight information security.

So therein the push for better internal testing and change management processes. It's we that need to improve our own acquisition, assimilation and integration methodologies to mitigate the inherent issues in the updating and patching of core systems.
Post #1575012
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse