How often should you patch?
We're a software OEM so we try to keep ahead of our customers with the near latest Recommended patch clusters. Sun, though, releases new reports every two weeks, and some of their patches have been withdrawn due to bugs in the patches. Also, some patches introduce incompatibilities with some 3rd party software we use. Fortunately our own code seems pretty vanilla so far.
If we try to keep up with Sun patches we're going to drive the testing staff crazy. Does anyone have any recommendations for the minimum and maximum update intervals for Sun patches? We're already using "guinea pig" systems for all new patch sets.
[644 byte] By [
sagentglen] at [2007-11-25 23:24:59]
# 1
That's a good question and one that comes up pretty frequently. There's a lot of different views on this one too.
I'd tell you to patch as little as possible. Realistically, you'll never be able to keep up with the latest and greatest. You should however, try to keep up with any patches that address security concerns. Obviously, any patches that directly impact your product should be considered as well. Many people seem to like to have close to the latest kernel patch on as well. I don't necessarily agree with this one because of the downtime involved, but you'll probably hear some discussion about this. If downtime isn't a huge issue, condider keeping up with them.
What works for me (I've supported a 180+ server envirnment), is to attempt to keep current on all security patches, and perform a major "Recommended Patch Cluster" annually. I've been lucky in that I've only had to throw on emergency patches to address critical issues a handful of times.
I hope a lot of people chime in on this one.
# 2
Patch when the patch is known to solve an issue you want to address. For security patches, patch when there's one. For kernel patches, if it affect your application's performance on the server then by all means; patch. Sun clustered patches does not include patches for all applications running on your server, you still need to apply the third party product patches if there are available and you need them to address problems.
I've sysadmin friends who can afford to reboot their servers once a month and who apply the clustered patches once a month, regardless of whether he needs them or not. You've the freedom to adopt your admin style or customize it to your working environment. No one is gonna stop you. But be mindful.
