Should You Update or Not Update? – A Comprehensive Guide

Since starting working where I am working now, I've been in an endless struggle with my boss and coworkers in regard to updating systems.

I of course totally agree that any update (be it firmware, O.S. or application) should not be applied carelessly as soon as it comes out, but I also firmly believe that there should be at least some reason if the vendor released it; and the most common reason is usually fixing some bug… which maybe you're not experiencing now, but you could be experiencing soon if you don't keep up with .

This is especially true for security fixes; as an examle, had anyone simply applied a patch that had already been available for months, the infamous SQL Slammer worm would have been harmless.

I'm all for testing and evaluating updates before deployng them; but I strongly disagree with the "if it's not broken then don't touch it" approach to systems management, and it genuinely hurts me when I find production Windows 2003 SP1 or ESX 3.5 Update 2 systems, and the only answer I can get is "it's working, we don't want to break it".

What do you think about this?
What is your policy?
And what is your company policy, if it doesn't match your own?

What about firmware updates (BIOS, storage, etc.)?
What about main O.S. updates (service packs)?
What about minor O.S. updates?
What about application updates?

My main interest is of course in updating servers, as client patch management is usually more straightforward and there are well known tools and best practices to handle it.

Best Answer

Security and agility should be balanced against stability and uptime when determining your patching strategy. Your push-back approach for this should be along the lines of 'Okay, but you need to know that we're now at risk of these servers becoming compromised and having our data stolen, or having the servers be rendered non-functional' and 'Okay, but you need to know that this impacts our vendor support for this system, and future ability to have this system interact with new systems'.

Against the longer-term 'not broke, don't update' mentality, you should make it clear that:

Migrating an unpatched legacy system that's fallen way behind over to a modern system is a much more expensive and painful process than gradually updating that system over time.
Experienced and skilled IT personnel actively seek out new technology and companies that are constantly evolving their IT systems. There's a very real dollar cost in turnover, lost opportunity, and loss of knowledge when a companies loses their highly engaged, creative IT staff due to their systems stagnating and becoming unappealing to work with. Then all you're left with are the 'lifers'.

Hope this gives you some leverage and best of luck in convincing the aboves to take things seriously. As always, establish a paper trail that proves you've apprised management of the risks they're taking.

Best Answer

Related Solutions

Linux – How Often Should I Update our Linux Server

Linux – To yum update? Or not

Related Topic