It's been a while since I was in the day-to-day business of security patches. However, I still keep up with vulnerabilities and fixes as I expect every Microsoft SQL Server DBA should. Here are some resources I recommend to do the job right:
- Secunia Advisories - You'll need to create a profile so you can receive advisories by email, but it's worth it. Be advised, if you don't filter things down you will get a LOT of email as there are quite a few vulnerabilities reported every day.
- The PatchManagement.org mailing list - This is a dedicated list to patch management. If there's a problem with a security release, chances are you'll see it described on the list. You can also subscribe to the WSUS mailing list at the same link if that's what your organization uses.
- The Microsoft Security Response Center blog - The MSRC blog posts discussions of vulnerabilities as well as the links and times of discussions for the Black Tuesday patch releases. If you deal with Microsoft patches, you simply must keep up with the MSRC blog.
- Microsoft Technical Security Notifications - Like Secunia's advisories, these notify you of security issues, but with respect to Microsoft products. You'll get the advance notification of what patches are planned to be released on Black Tuesday as well as descriptions of the patches actually released on Black Tuesday. Another must if you're dealing with Microsoft patches.
- The Full Disclosure mailing list - If there's a zero-day, chances are you'll hear about it on this list first. Be forewarned: sometimes there's a lot of emails. Also, sometimes the signal to noise ratio is really bad. However, I've found it worth being subscribed to in order to know about something in the early stages.
The key with patch management is to know as much as possible as soon as possible. You don't want to roll a bad patch to a system and you want to know if a patch may have issues with a particular setup. These help you keep up with all that. Also, you might check out the TechNet forums on the specific technologies you support. Sometimes you'll find the answer you need there, although often times if there's something related to a patch, you'll see a post from the PatchManagement.org mailing list which contains the appropriate links.