A research study comparing patch management in Microsoft Windows client and server operating systems with open-source software systems alleges that the costs of patching vulnerabilities is roughly the same for each.
The document states that the results go against a common perception in the IT community that total costs of ownership for open source, which include patching, are lower than for Windows.
The study was sponsored by Microsoft and audited by the research firm Meta Group Inc., and was conducted by consulting firm Wipro Technologies Ltd.
Released last week, the survey examined 90 companies on the subject of procedures and costs for security patch management on both Windows and Linux systems.
Based on the results, Wipro concluded that the costs of patching vulnerabilities on Windows systems are roughly comparable to costs on similar open-source software systems, and that on a per-patching-event basis, Windows-based systems require less effort to patch.
Wipro also noted that the number of open-source software vulnerabilities is underestimated.
For example, on average, patching a Windows client system costs 14 percent less than patching a comparable open-source client machine, the study said. The total for patching a Windows database server is 33 percent less than for its Linux counterpart.
The Meta findings fall in line with research conducted independently earlier this year at Yankee Group Research Inc. by analyst Laura DiDio. She found that overall TCO (total cost of ownership) gaps were nearly non-existent between Windows and Linux. DiDio noted that it would not be surprising to find similar results for patch management.
“Microsoft has made a number of improvements over the past year in the way it does patch management,” DiDio said. “So it makes sense that the total costs to organizations might change.”
Roger Kay, an analyst for IDC, agreed that Microsofts patch strategies have become more efficient. “Also,” he said, “my sense is that the open-source patch world is much less organized, so that might be a factor.”
This survey constitutes the latest salvo in Microsofts “Get the Facts” marketing offensive against Linux and open-source software. The surveys take aim at very specific comparisons between the platforms.
For example, another recent study in the campaign stated that Windows Server 2003 is more reliable and robust, and allows IT administrators to execute various tasks more quickly than those using Red Hat Inc.s Red Advanced Server 3.0.
Still, many of these surveys “facts” have been challenged by the Linux and open-source community. Also, critics point out that Microsofts sponsorship of the research opens the door for inherent conflicts of interest.
“Theres a reason we dont do sponsored research,” Forrester Research Inc. analyst Ted Schadler said. “We feel it compromises our integrity.” He added that even if the results are fair and balanced, the sponsoring company may choose to only release part of the results, which can skew the findings.
Microsoft seems willing to risk it, Kay said, considering that the company sponsors a formidable amount of research. “The fact that Microsoft spends a lot of money showing in reports that its good when compared to other products isnt surprising,” he said.