Had lunch with a friend in the business yesterday that is involved with vulnerability scans for a large company and one of the things he discussed was that service packs are hard for them. On many of their servers they apply fixes of any type only if critical or fix an issue that is actually causing them pain, they prefer to avoid the remainder to reduce time and risk. The decision about whether to force users to apply a service pack is dependent on the security fixes rather than just being a standard/best practice, but that means they have to research the service pack deeply to figure out if security is involved or not.

The value in service packs regardless of platform is it quickly brings you close to being current. Slipstreaming the service pack into the install package makes installing go faster, one less step as the service pack is already applied. Aside from pure packaging, wouldn't a Windows Update mechanism work just as well? With Windows Update we can pick and choose our updates, but for the most part they just get applied. Are server updates any less risky than applying a patch to SQL? Do we expect everyone to more or less apply all the fixes that get generated for SQL? Some type of policy based application feels right. Let me set a policy based on criticality and whether it involves security, configure a delay before it's applied, and set a standard time to apply them. Would also be nice to know which patches require a reboot, those might get grouped differently.