This tip originally appeared on SearchWindowsSecurity.com, a sister site of SearchSMB.com.
For many administrators, getting third-party help to manage patches and updates is no longer an option; it's a requirement. In a big organization (a thousand seats or more), managing patches for every single machine, whether a desktop or a server, is not something you can do by hand -- not even at the departmental level.
Microsoft has its own product for deploying updates -- Windows Software Update Services -- which is available for free and uses the pre-existing Automatic Updates component on target computers as a remote agent to deploy updates. It also supports a fairly broad variety of Microsoft products, such as Office, Exchange Server and SQL Server. It is, however, far from the only solution available.
Of the many third-party programs in this space, I've written at length before about Gravity Storm Software's Service Pack Manager, now in revision 7.1. This program caught my attention as being one of the very first third-party applications to do patch management in any form. When installed, you can scan your local network, enumerate each machine on it, and compare the computer's manifest against Microsoft's own recommended list of patches and updates for each detected OS. The program uses an agentless architecture, so there's nothing to install on the target machines; it's a very lightweight and direct way to patch a Windows-only environment quickly and effectively -- provided that's all you need.
However, the program's biggest strength is also one of its weaknesses: it's almost exclusively Microsoft-centric. It focuses on finding updates to Windows and many Windows Server systems, such as SQL Server or ISA Server, but it will not track patches for non-Microsoft products. For that, you would need something like Ecora Patch Manager 4.0, a slightly more sophisticated patch management application which encompasses not only Microsoft patches but third-party products as well.
Ecora has a slightly more flexible design than SPM: it can operate in both agent and agentless modes -- in other words, if you're better served by actually having a patch-management agent present on the machines to be patched, you can do that. It also supports a broader range of platforms (including non-Windows machines) than SPM, lets you roll back patches as long as there's support for rollback with the patches in question, and is slightly cheaper: $25 per node, as opposed to a starting price of $33 per node for SPM. If you want to try them out yourself, there's good news in both cases: each program has a free 30-day trial.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
