Announcement

Collapse
No announcement yet.

How to catch up with 4 years worth of service packs, hotfixes, patches

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to catch up with 4 years worth of service packs, hotfixes, patches

    I have recently started working in a small business where the systems/server administrator did not keep up to date with server patching. There are 2 servers: 1 Windows 2008 and 1 2012. I have been tasked to update the servers with patches current to January 2018. A few questions:
    - Will MBSA work on these servers?
    - There are roughly 400 patches, 68 of which are critical updates.
    - Can WSUS be used for only 2 servers or is Windows Update enough?
    - There is a rollback feature built in to Windows Update if I recall.

    Overall, what is the best way to proceed here? Do the patches have to be applied in reverse order and how to determine which are absolutely essential From the MSDN documentation I have read, it's obvious to make a back up of these servers before proceeding. Both servers host several VMs for the company.

    Is there a document, site or external resources where I could find some specific direction on the questions above? Did a lot of searching but no specific guidance on how to proceed restoring/applying patches on servers that are several years behind.

    Thank you in advance.

    Peter Brabson

  • #2
    Cant deal with all your questions but IMHO for "two servers plus several VMs" I would consider WSUS - it also puts you in control of the order you release patches in.

    Some updates can be rolled back, but not all - be aware.

    I would look at recent cumulative updates as these may well replace many of the older ones
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      To add to Ossian's comments: in the WSUS console, looking at all the updates, there is a column which refers to the precedence of a given update; usually this column is to the left of the update name. If there's nothing there, that update hasn't been superceded. If you see a picture of thin lines with blue boxes at the end of those lines, those tell you the precedence of related updates. A blue box at the bottom of the 'tree' means the update has been superceded, and it's the oldest in that precedence tree. If you see the blue box in the middle, then that update supercedes another, but is itself superceded by something else higher up. A blue box at the top means that update is king of the hill for its chain. So what you're worried about is those updates with no precedence icon at all, and the ones at the top of their tree. Anything else can be ignored, you can 'Decline' those. As for sequence of installing, there's another column to look at, the Release Date. if you sort by that column, you can approve updates from oldest to newest in whatever quantity you want. However, MS arranges the updates to sort themselves out as to what sequence to install things, so you could simply approve all of the updates and let WSUS installer do its thing. Bear in mind that, with the number of updates pending, you're almost certainly going to have to run an update cycle multiple times per server, because the automatic WSUS sequencing will require restarts as you go along. This will take some time.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        "Overall, what is the best way to proceed here? Do the patches have to be applied in reverse order and how to determine which are absolutely essential?"

        Windows will take care of installing updates in the proper order. You simply need to check for updates, select all available updates, and select to install them. All updates that aren't optional should be installed at the very minimum. This really isn't complicated. The number of updates doesn't change anything. Proceed with installing updates just as you would if there were only 2 updates needed, or 3, or 4, etc. You're probably going to find that you need to run the update process a number of times to get the servers current with updates.

        Comment

        Working...
        X