What happened: Microsoft pushed out an update to Windows Desktop Search (WDS) through WSUS (Windows Software Update Services, used to keep large Windows networks up-to-date), but made an error.
I found I had to read this explanation three times before I understood it, so here’s my attempt to re-phrase it.
From time to time, Microsoft issues updates to WDS. One of these updates came out back in February. Sane administrators approved this because it applied only to desktops that already had WDS installed.
Last Tuesday another such update appeared, and was automatically approved on sites where the February update had already been approved. Microsoft’s error was to make the new update applicable to all Windows XP SP2 or Windows Server 2003 machines, rather than just those where WDS was already installed.
Why was it such a big blunder? Many Enterprise PCs are set to redirect the My Documents folder to the server, where it can be backed up. WDS always indexes My Documents. Result: heavy network traffic as all these new indexes were being built. Furthermore, Microsoft’s track record for unobtrusive background indexing is not particularly good. Crippled network = lots of support calls.
The lesson: Susan Bradley says never auto-approve patches. I tend to agree, though it is a dilemma since with security-related patches time is of the essence. But here’s another case. I noticed on a Small Business Server 2003 box recently that Windows Server 2003 SP2 was waiting to be installed. Before clicking OK, I had a quick look for any issues, and came across this support note:
After applying Windows 2003 Service pack 2 on Small Business Server 2003 you may see the following issues:
1. For both Standard and Premium:
Missing Help and Support service
R2 patch approve console has error on approval
2. For Premium with ISA Server 2004
Networking issues including NAT and VPN connectivity programs, Outlook not connecting, RPC errors, etc.
Ouch. There are solutions; but that’s definitely one to defer for after hours maintenance.
Do Microsoft provide some kind of ‘update proxy’ server facility where you can download patches, investigate them on a test box and then push them out to the desktop? Otherwise I can see this kind of issue causing utter hell in the corporate environment.
I don’t know much about patching corporate desktops but sure there must be some kind of GPO to turn it off altogether.