 Patching our software platforms is something that most of us have come to expect. We get monthly patches released by Microsoft, and fortunately very few for the SQL Server platform. Many system administrators I know have some sort of monthly test and deployment cycle that's in place to ensure they can keep their systems up to date in an orderly fashion. However not all system administrators worry about patches. There was an article this week about systems that never recieve patches, and are full over forever day bugs.
Patching our software platforms is something that most of us have come to expect. We get monthly patches released by Microsoft, and fortunately very few for the SQL Server platform. Many system administrators I know have some sort of monthly test and deployment cycle that's in place to ensure they can keep their systems up to date in an orderly fashion. However not all system administrators worry about patches. There was an article this week about systems that never recieve patches, and are full over forever day bugs.
Zero day bugs are those discoverd and exploited before the vendor can release a patch. Forever day bugs are those holes which the vendor cannot, or will not, patch for some reason. The software containing these bugs might be end of lifed, superceeded by a new version, or potentially seen as too expensive by the vendor to fix. In many cases vendors do send workarounds to customers that can help them secure their systems if they can implement the suggestions.
In some ways software is different from a physical product in that we can fix it, usually fairly easily. Unlike many physical products (cars, appliances, etc) that require a large effort and expense to deploy and implement a fix, software can often be fixed by the customer, with a patch that is sent at almost no cost once it has been developed. Many vendors have built systems into their software in anticipation of future patching needs. My own employer, Red Gate, includes a check for updates into their software that will download and install patches when the customer chooses to do so. Unfortunately there are some vendors that build these systems into software, and then take advantage of them by releasing buggy software early to gain sales. Their plan is then to fix issues quickly, often in response to customer complaints.
Software will always have bugs, and anyone that builds software ought to plan on applying patches to it over time. However we do have some level of immaturity in this process. Unlike physical goods where the customer can manufacture their own replacement parts when the product is no longer supported, software is bound with a license that doesn't allow the customer to produce their own patches. I would like to see end of lifed software available to customers as part of an escrow process that allows them to build their own patches if they are needed.
