Conquering Patch Madness
UpdateEXPERT eases the task of keeping servers patched.
UpdateEXPERT, formerly SPQuery, manages updates
and patches to servers, including Windows 2000
and NT Servers, Terminal Server, IIS, SQL Server
and Exchange; workstations (NT, 2000, and XP only),
and some specific programs (Internet Explorer,
Media Player, NetMeeting, NetShow, Office and
Outlook). UE does this by comparing the machines
on your network with a secure database of patches.
Most hotfixes can be scheduled for installation
from the UE interface. One particularly attractive
feature is that potential patches and hotfixes
are grouped by OS and category, along with a brief
description of the vulnerability, with the bottom
pane showing the Knowledge Base article describing
the fix. You have the option of adding any patches
or hotfixes to a required list, so you can compare
your patching policy to the software installed
on a particular server. The missing patches for
that system are listed when the computer name
UE worked as designed, but there are some quirks. If you manually enter
a computer name but misspell it, or otherwise want to delete an entry
that doesn't exist, your only recourse is to reset the entire list of
machines. Some interfaces could be improved: for example, under View|Manage
Required Updates, the panels can't be resized, and your only option is
to scroll horizontally to read the entire patch description. The default
view shows required updates only. No manual is included; most information
is in Help. And, since the sequence matters when setting up UE, a quick
"up and running" guide would make sense. There is, however,
a short, important readme file on the CD that covers some of these issues.
| UpdateEXPERT lets you easily
browse all the updates available for software
on your computer. (Click image to view larger
Among the unique features of UE are the ability to schedule and push
patches out to various systems, after downloading the patch once to the
computer running UE; the ability to quickly find descriptions for newly
released patches; and the ability to generate reports both before and
after, validating the installation of selected patches.
[Version 5.1, out after this writing, adds
Smart Boot Elimination, which combines multiple
patches for the same computer to minimize reboots.
What's missing? I found myself wanting some features from the similar
Config Reader program for NetWare servers. UE doesn't analyze any error
logs for potential causes of system crashes; it doesn't allow direct comparison
of patches on two servers side by side; and you can't sort patches or
program components by date, indicating where a newer component may be
There are an average of two to three releases per week of the patch database,
and St. Bernard runs a respectable one to two days behind the Microsoft
release of the patch, for testing. Normally, the database download frequency
is set from the console, with a default of once an hour. You have the
ability to create your own set of patches to install, and create a report
detailing which servers need which updates.
This product will be of most use to security
consultants, or in larger environments where there
are multiple and diverse Microsoft servers or
workstations to manage. UE provides a solid way
to manage the increasing number and urgency of
software patches from Microsoft.
About the Author
Douglas Mechaber, MCSE, MCNE, CCDA, is a network consultant and dive instructor and is always on the lookout for utilities that make his life easier, or panulirus interruptus, the California spiny lobster.