I gotta agree with Steven's view on this, and we all should be wise enough to know you don't deploy a Service pack without a lot of testing and validation with the PC/Servers in your environment and vetting the issues to make sure the business impact is minimal. Its just good change management.
Just because some analyst says you can get all these whiz-bang features in the new service pack, that doesn't mean just go out and deploy it at will, without a lot of testing and assurances to the business you aren't going to bring them down with this deployment, and you always pick your least critical systems first. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Steven Peck [mailto:[email protected]] Sent: Monday, February 28, 2011 12:29 PM To: NT System Admin Issues Subject: Re: Brian Krebs on security Sure, but someone says the same thing every time Microsoft releases a service pack. When Service Pack 2 comes out, we will see a similar post from 'someone' saying much the same thing. Testing over phased periods is what we do as well. Lab, followed by initial servers which get the full SP and we do that because those are 'our' groups servers and don't directly impact the businesses ability to accomplish work. As I like a paycheck, I dislike impacting the business in a negative fashion that makes me go to meetings. Steven Peck http://www.blkmtn.org On Mon, Feb 28, 2011 at 9:12 AM, Michael B. Smith <[email protected]> wrote: I think that Krebs comments were even handed and reasonable - except that I disagree with his conclusion. As always, update your OTHER software first, to ensure that it's compatible with "the latest and greatest". The Microsoft ecosystem is HUGE. It is absolutely impossible for Microsoft to test everything and every combination. Secunia's applications are great for this. If you have huge LOB applications - you may want to ensure that the vendor supports the new SP. You absolutely want to test, test, test. If you don't - well, shame on you and no one else. And I completely agree with ASB - I much prefer to use the full installer (regardless of how huge it is). Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Steven Peck [mailto:[email protected]] Sent: Monday, February 28, 2011 11:46 AM To: NT System Admin Issues Subject: Re: Brian Krebs on security There is nothing he says that some unimpressed "cool kid" says every time Microsoft releases a service pack. His objections are edge case which people should be reading in the release notes before installing in an enterprise anyway. We'll probably do what we normally do. Drop it on our own groups IT specific servers next month and then slowly roll it out to everyone else over time. As to putting it on my desktop? I did all my home systems this weekend and will be testing my work system at some point when I want to play with rebooting :) Steven Peck http://www.blkmtn.org On Mon, Feb 28, 2011 at 8:36 AM, Andrew S. Baker <[email protected]> wrote: I'd say, read what he wrote and decide whether or not you agree with it for yourself. Name trusting can only get you so far. I see what he says, and I know that many are gunshy about service packs and patches, but I've been fine with patches for Windows 2003 and later, by simply testing them out, reviewing key sites for published problems, and then deploying. Oh, and I prefer to deploy with the full executable vs the Windows Update file, at least in the beginning. There always seem to be more problems with the Windows Update delivery mechanism in the early days of major patches, and these issues tend to be about the delivery rather than the actual patch content, most of the time. ASB (Find me online via About.Me <http://about.me/Andrew.S.Baker/bio> ) Exploiting Technology for Business Advantage... On Mon, Feb 28, 2011 at 9:05 AM, David Lum <[email protected]> wrote: Susan Bradley - a name I trust - posted the below to the patch management list. I have heard of Brian and read a few of his posts, have any of you had any direct interactions with this guy? What I'm really asking is if I should weigh his opinion similar to Susan, or Michael B Smith, and a few others? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 503.548.5229 // (Cell) 503.267.9764 -----Original Message----- From: Susan Bradley [mailto:[email protected]] Sent: Saturday, February 26, 2011 1:27 PM To: Patch Management Mailing List Subject: Re: Can't backup Win 7 computer after installing. Before You Install Windows 7 Service Pack 1 - Krebs on Security: http://krebsonsecurity.com/2011/02/before-you-install-windows-7-service- pack-1/ <http://krebsonsecurity.com/2011/02/before-you-install-windows-7-service -pack-1/> On 2/26/2011 1:12 PM, Fred Dunn wrote: > This is generally the accepted "Best Practice" for Service Packs. > Aside from that even at the Analysts own computer (unless it a "standard > load" and has remained in that pristine state) you can wait as long as you > want but at the personal computer level all are different and you could > still hit a new bug a year from now. > > FD > > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Friday, February 25, 2011 8:06 PM > To: Patch Management Mailing List > Subject: RE: Can't backup Win 7 computer after installing. > > I doubt that too many on this list deploys an OS service pack on a large > scale without testing first. My process, for example, is to first install on > my own personal and work machines (I have quite a mix of different machine > types), then to have my technicians install it within our department, then > to spread out from there in increasingly larger batches. > > While I would never push out a service pack to the 2,000+ machines in my > enterprise without first testing and monitoring mailing lists like this one, > I have no qualms about installing it on a small scale shortly after release. > Statistically speaking, this is a pretty safe move. Yes, we see people who > run into problems--but those problems are generally the exception rather > than the rule, and people tend to speak up more when things DON'T work than > when they DO. If suspect that if we polled the members of this list, we'd > find that the overwhelming majority of machines that SP1 has been installed > on are working perfectly. I can't concur with your assertion that Microsoft > has a poor track record with service pack releases in recent years, but > perhaps I've just been luckier than most. > > > John Hornbuckle > MIS Department > Taylor County School District > www.taylor.k12.fl.us > > > > -----Original Message----- > From: DANIEL CARROLL [mailto:[email protected]] On Behalf Of Dan Carroll > Sent: Friday, February 25, 2011 8:28 PM > To: Patch Management Mailing List > Subject: RE: Can't backup Win 7 computer after installing. > > I am just beside myself; sitting here reading about all the problems with > Win-7 SP-1. > I will never understand why so many feel they need to be "the first" to > install a Service Pack a microsecond after M$ releases it. > Have we learned "nothing" thru the years about M$, and especially Windows > Service Packs. > My God people. > Do we all jump in the pool before we check to see if there is water in it? > I will NOT be installing SP-1 for as long as I can. > I have already implemented the SP blocking reg entry. > I do appreciate those who do jump in the shallow end, as they relieve me of > the burden of discovering and repairing/undoing/patching all the problems. > Thank you. > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
