Home Forums SQLServerCentral.com Editorials Patching Problems RE: Patching Problems

  • May 27, 2014 at 12:31 am

    #1716586

    Hello, I wanted to write how we do patching of Microsoft CU in Client Servers.

    My Company sells small and big servers as part of an industrial systems. Most of those are running isolated from the internet, with a VPN just established for maintenance purposes in a small timely window. In some of them we are obliged per contract to keep the system up to date.

    We found a packager program for Microsoft Updates (not SQL updates, which we apply manually by Service Packs only). This packager is published on wsusoffline.net and needs a master machine to collect and prepare a package. This package can be transferred (we use 7zip for packing the provided subdirectories, and transfer them by FTP or USB to the client servers). There you run it.

    Benefits: If I prepare such a package, and I test it on some reference machines, the risk of a bad patch in the rollout to the one hundred other servers is lowered. If I would use Online Microsoft Update, I would have to control manually that no other than the tested patches are installed on this machine. In my case this is granted by using the identical package. 7Zip seems to be safe enough to grant this.

    Another benefit: The installer of that packages comes with the option to automatically reboot and proceed any time this is required by the update progress. There is no delay like a message waiting for confirmation at the console (which is not seen by anybody, because the servers mostly have a remote access only). Whenever the Windows Update requires a reboot, the package installer will instantly follow it. This reduces the time I have to monitor the server personally. I just login near the end of the agreed downtime, check, disconnect, and proceed hopefully to the next server.

    On our reference machines at the office I can easily control the completeness of the offline procedure by running online updates right afterwards, and to note down the discrepancies. Each of such must have a reason. After that I am done for this months and all my important servers are patched. All unimportant servers will be patched on demand only, like twice per year. The risk for such rare patches is acceptable to most clients because of the isolation from the internet.

    I hope this is a helpful procedure for other organizations also.

    TAS