I think this is correct - SP2 needs to be installed before the post-SP2 patches are detected. Automatic Updates queries the system for what is already installed not what is in queue.
WSUS clients push data to the WSUS server (WSUS server doesn't query WSUS clients) and talk to it depending on what is already installed. If the OS says SP1 is installed it will talk to WSUS and say "give me what's needed for SP1", I don't think it sees SP2 in line to get installed and says "I see SP2 on the way, what do I need after that?" The way to get around multiple patching reboots is to have an image that is fully patched or close to patched already. I *think* being on the latest Service Pack should avoid most of the multiple rebooting For your scenario I'd install SP2, and once they reboot run WUAUCLT /DETECTNOW and check back with them in 10 minutes. If you have say 15 machines like this I would create one batch file and PSEXEC the WUAUCLT command to 20 systems - that would be faster than RDP-ing to 20 machines just to run one command. Depending on the # of systems I might even create a temporary WSUS GPO that says "auto reboot" so you don't have to manually kick the servers just to get them caught up. There's some additional work to get it perfect but likely still faster than RDP-ing to each box. Alternately just use a tool that lets you RDP to a bunch of systems at once :) Dave From: Jon Harris [mailto:[email protected]] Sent: Tuesday, August 18, 2009 1:41 PM To: NT System Admin Issues Subject: Re: Patching question I believe the update (in this case SP2) actually has to be in before any of the dependent updates will be detected. Jon On Tue, Aug 18, 2009 at 4:30 PM, Richard Stovall <[email protected]<mailto:[email protected]>> wrote: A quick update for those that might be interested. I went ahead and approved SP2 (knowing that I won't actually install it from WSUS) just to see what would happen. As originally thought, dependent updates are not detected yet. Oh well... From: Jon Harris [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 18, 2009 12:05 PM To: NT System Admin Issues Subject: Re: Patching question Agreed and that is why I stated it as "My bet is on that would be no... I have not seen WSUS detect patches that had dependencies if a prerequisite was missing. It would be nice but like I said not from what I have seen. There are other products that will pick up these type of things but they cost money. Jon On Tue, Aug 18, 2009 at 11:54 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: It's not a waste a of space if typing something here helps you answer your own question - others might be having the same issue and they can use your correspondence to help them out - a "silent win" where you helped someone and didn't even know it. I gain so much from this list even w/out asking a question it isn't funny. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Richard Stovall [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 18, 2009 8:34 AM To: NT System Admin Issues Subject: RE: Patching question That's what I thought. From what DL wrote I thought that perhaps WSUS has some sort of conditional detection logic that I'm not aware of. But you know, then again maybe it does, now that I think about it. I generally prefer to do big updates like OS service packs manually for critical servers so I had not approved SP2 for distribution via WSUS. Maybe if I had then the dependent updates would have shown up also and it could actually have been done in one shot. It does work that way for other software. My bad. Sorry for the waste of space... From: Jon Harris [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 18, 2009 11:26 AM To: NT System Admin Issues Subject: Re: Patching question My bet is on that would be no. In cases like what you described SP2 was a prerequisite for the 43 additional patches and one or more of them were prerequisites for that additional ones. Jon On Tue, Aug 18, 2009 at 11:21 AM, Richard Stovall <[email protected]<mailto:[email protected]>> wrote: Can you push the SP and the post-SP updates at the same time with WSUS? At first I only see the SP as 'needed' in WSUS. It isn't until after it's installed and 'wuauclt /detectnow' is run that I see the 43 additional ones that are necessary for Server 2003. (Then there 3 or 4 more that are required after the 43 are installed...) All in all it was 3 reboots for a couple of 2003 SP1 servers that I updated to current last weekend. If there is a way in WSUS to just blast out everything at once that might be useful in some instances. Thanks, RS -----Original Message----- From: David Lum [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 18, 2009 11:11 AM To: NT System Admin Issues Subject: RE: Patching question Sorry this doesn't answer your question, but WSUS is your friend, you can push SP's as well as the updates required afterward (I pushed SP3 for XP to 350 systems, for example, and my total involved time was oh....one minute, including opening the MMC). Patching with WSUS takes about 1/10th the time patching with SMS does. We use WSUS for MS patching and SMS for 3rd party updates. Like SMS, WSUS can use BITS throttling. WSUS is free and can run on desktop hardware. I found SMS to be the really really hard way to patch MS systems, although I realize there may be reasons you aren't using WSUS. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -----Original Message----- From: Ziots, Edward [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 18, 2009 7:29 AM To: NT System Admin Issues Subject: RE: Patching question I don't use SMS here Chris, But I have the same issue and I setup a batch script that updates to SP2, and then runs the post SP2 hotfixes accordingly, along with the TCP Chimmney disabling and DST fixes again and then reboots the machine (I do use Qchain.exe at the end to make sure everything applies as I want it) then re-scan with shavlik and server is patched up to the required levels. I have done about 100 Servers this way without an issue. You could probably push a quick scheduled task to run the batch file on a central server against your target servers, and then have it reboot afterwards. The service pack + patches should take about 1 hr depending on the speed of the system and available resources. This has been the average for me, and my maintenance windows are probably a lot like yours. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected]<mailto:[email protected]> Phone:401-639-3505 -----Original Message----- From: Christopher Bodnar [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 18, 2009 10:18 AM To: NT System Admin Issues Subject: Patching question This is not really an SMS question, more of a generic patching question. We have SMS 2003, and use it to patch systems. I recently found out we have a large number of systems still at W2K3 PS1. Easy enough to push out SP2 to them. The problem then, is how to automate the application of any post SP2 patches. I can think of a few ways, but none of them great. For example, I can create one monster post SP2 package in SMS and have the SP2 package be a pre-requisite. The problems with that are the size of the package itself and how to get a list of post SP2 updates to include in the post sp2 package. I've also thought of doing this as a manual process and having us run Windows update after the SP2 package is applied. The problem with this is our change window is small, and the amount of staff to cover doing this. I'm sure some of you must have run into this issue before. Any ideas? Thanks, Chris ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
