Windows Patching: Cheaper
than Open Source?

By Steven Vaughan-Nichols  |  Posted 2005-05-20

Windows Patching: Cheaper
than Open Source?

Im really getting tired of bought and paid for "independent" studies showing how much more wonderful Windows is than Linux.

Who do they think theyre kidding? Does anyone actually believe what it says in the latest Microsoft-sponsored study, "The Total Cost of Security Patch Management," that patching Windows and its applications is cheaper than patching Linux and open-source programs?

Lets take a look under the executive summary of this report, shall we?

First, Wipro, which conducted the study, is a global solutions integrator with a strategic relationship with Microsoft. Indeed, part of what Wipro does is build "financial models and ROI (Return on Investment) calculators for Microsoft product deployments."

Its bad enough when Microsoft pays analyst companies like Forrester to produce reports that praises Microsoft, but these Wipro guys arent even analysts. Theyre salesmen for Microsoft.

Read more here about the report from Forrester Research finding it cheaper to build enterprise applications cheaper with Windows than with open source.

Nevertheless, these analysts conclude from their survey of 90 companies that even though Windows systems require more patching, its easier and cheaper to patch Windows than it is to patch open-source software.


I have twenty-four systems in-house and theyre equally divided between Windows and Linux systems. I use automated tools to update both of them. I see very, very little difference between them in upgrading either one.

On the Windows side, I use Microsofts System Management Server and SUS (Software Update Services) and Shavlik NetChk Patch. For the Linux boxes, I use SuSE YAST, a late beta of ZENworks for Linux 7, Red Hat Network and Ximian Red Carpet Server.

Click here to read more about ZENworks 7 Linux Management.

The only reason I use so many programs is that Im in the business of testing technology to a fare-thee-well. If I were just running a business, Id use the Shavlik program and ZENworks.

If I wanted to, I could also use such basic Linux programs as Apt-get and Cron to make scripts to automatically update my systems. Net cost: $0.

But, heres the truth of the matter: Simply patching either operating system is trivial if you know what youre doing. Period.

Concluding from the data in this report that it somehow takes up significantly more time, money or resources to update Linux systems is science fiction. If I want sci-fi, Ill go see "Revenge of the Sith" this weekend.

Next Page: What the analysts arent telling you about Windows vs. Linux.

What the Analysts Arent

Telling You">

If you look closer, youll see the hoops the analysts had to jump through to make their claims. For example, they write, "For each vulnerability that is addressed, Windows-based systems experienced slightly higher prepare and direct costs." And, "Windows systems also experienced more than twice the average number of OSS (Open-Source System) vulnerabilities."

Somehow, based on this, they argue that on a per-system basis, Microsoft wins out.

In one table, they outright show that the total average management tools cost in their survey was $514,060 for Windows and only $287,100 for open source. Nevertheless, they argue that on a per-system basis, the open-source boxes are more expensive.


They argue that its because if you divide the costs by the number of systems, it costs far more for the relatively few open-source computers. Ah, guys, I dont know about your management tools, but I can manage 1,000 open-source boxes with the same tool set as easily—and as cheaply—as I can 100 or 10.

For that matter, except for actually deploying the patches—the easiest part—you can use the same programs on both platforms!

What were the companies top three server automation programs on both Linux and Windows? HP OpenView, IBM Tivoli and CA Unicenter. And what were two of the top three software distribution and management programs? HPs OpenView and Novell ZENworks.

I can only shake my head and walk away.

As it happens, there are significant differences between Windows and Linux. Theyre just not in Microsofts favor.

The first, and its a biggie, is that I must constantly patch my Windows systems for significant security problems.

I mean, come on, every month now we have a Microsoft patch day and every week we have a report of yet another serious Microsoft hole.

Heck, even Microsofts fixes have problems. Remember the trouble with XP SP2 and Server 2003 SP1?

I dont have to update Linux anywhere near as often and the upgrades go much more smoothly.

And, despite what the report says, Linuxs problems tend to get fixed faster than Microsofts bugs. Come to think about it, has Microsoft ever fixed its Windows Media Player 9 problem?

Finally, when I update my Linux machines, I dont have to reboot them. With Windows, I often need to reboot after patching.

Now, that may not sound like much, but downtime is downtime, and it can add up to a lot of money in a hurry. And, as is so often the case, when a server doesnt come up quite right—or doesnt come up at all—what might have been three minutes of downtime becomes hours, and thats no good in anyones book.

Check out eWEEK.coms for the latest open-source news, reviews and analysis.

Rocket Fuel