Microsofts Patch-A-Month Club

Microsoft tries a new approach to fixes, but is it better?

Reader David Plaut has a ready response to my recent Known Issues columns about Microsoft security patches and the bandwidth they consume. "Theres already a mechanism in place that doesnt use any bandwidth to distribute large files," Plaut writes. "Microsoft should partner with Time Warner to publish large patches on those ubiquitous America Online CDs."

Not a bad idea, David, but Im not holding my breath. Microsoft, however, did recently make a serious change in the way it announces and releases security fixes, but its unlikely to solve the bandwidth problem. Although Microsoft CEO Steve Ballmer publicly discussed this change at the companys Worldwide Partner Conference in New Orleans last month, the shift has not received nearly enough attention from the press, the public and enterprise IT professionals worldwide.

Whats the big change? Microsoft now intends to issue its routine security patches and bulletins once a month, rather than as soon as each patch is ready for wide distribution.

We got a taste of this new regime when a single "bulletin summary," which described five new Windows security patches, was issued Oct. 15 (see Starting Nov. 11, the company says, patches will be released on the second Tuesday of every month in a single batch.

This means some patches wont come out until a few weeks after theyre ready. For example, if a new patch is completed Nov. 10, itll be issued Nov. 11. But a patch thats certified Nov. 12 will be held until the next bundle goes out Dec. 9. Finished patches, therefore, will be released an average of approximately two weeks later than they would be if patches were issued as soon as they were considered done.

In a statement on the new timetable, Microsoft says it will make exceptions and release some critical patches "as soon as possible." This would occur "if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities." I interpret this to mean that a patch will be released pronto if an exploit is running amok. But if thats not obviously the case, the release will wait until the second Tuesday (see

Despite the companys expressed intention to send desperately needed new patches out the door immediately, some experts are already skeptical of the delays that will inevitably result from a monthly release schedule.

"Whilst the move to monthly security alerts goes some way to simplifying patch management approaches, it is at the expense of network security," said Alan McGibbon, director of security company NetSecure, in a statement. "Businesses need relevant real-time information to be completely secure."

In my opinion, its too soon to tell whether the second-Tuesday policy will make enterprises more secure or less so. Thats up to Microsofts customers.

Its obvious that IT professionals have been worn out by the onslaught of Microsoft security bulletins. The company released 72 security updates last year—almost one every five days. Burnout is why some 200,000 SQL Server systems were unpatched and wide open when the Slammer worm struck in January, even though Microsoft had issued a patch for the flaw six months earlier. Even Microsofts servers hadnt all been upgraded, allowing Slammer to take down many of the companys hosts.

The crucial question is whether enterprise executives will devote a certain number of person-days per month to test and distribute whatever critical patches may come out. You should if Windows is your platform.

If many of you join the Patch-a-Month Club and devote the staff time this approach demands, patches might actually get into place much sooner than they did under Microsofts rapid-release system. If not, the monthly cycle may simply represent another opportunity for users and administrators to join the Procrastinators Club.

Discuss This in the eWEEK Forum

Brian Livingston is editor of and co-author of "Windows Me Secrets" and nine other books. His column appears every other week in eWEEK. To send tips, visit Send your comments to