Microsoft Now Pushing SharePoint Server Updates via the Windows Update Service
Microsoft this week released cumulative updates (CUs) for both SharePoint Server 2010 and SharePoint Server 2013, and it announced a policy change.
The policy change is that starting with these February CU releases, Microsoft intends to push its future SharePoint Server updates, including the nonsecurity ones, through its Windows Update service, according to a blog post by Stefan Gossner, a senior escalation engineer for SharePoint at Microsoft.
Gossner's advice on installing the CUs for SharePoint 2010 can be found here. His advice regarding the SharePoint 2013 CUs is located at this page. He also published details on the particular security fixes released this month in another blog post.
Windows Update delivery implies automatic installations. That could be a scary prospect for IT pros lacking controls preventing automatic installations. And despite Microsoft's new policy, IT pros are obligated to test these CUs before adding them to a production environment. Gossner offered a warning to that end in his blog post.
"A caveat [to CU delivery through Windows Update] is that evaluating the fix in a test environment before applying it on the production farm will be more complicated," Gossner wrote, without elaborating.
Don't Install CUs Automatically
Todd Klindt, a Microsoft SharePoint MVP and SharePoint principal architect at Rackspace, noted in a blog post that the CUs will now show up in Windows Update as Important updates, meaning that they get installed automatically, without notice.
"I recommend either setting Windows Update on each server to 'Download only' or I recommend using WSUS [Windows Server Update Services] to push patches out to servers," he said. Update: Klindt illustrates how to patch SharePoint Servers with the Windows Update service in this February 20 blog post.
Don't install a CU unless it addresses a problem, he explained.
"Since the beginning of time, or since SharePoint 2010 came out, whichever comes first, my guidance has always been not ever to install a cumulative update unless it fixes something that you're experiencing is broken," Klindt said in a phone call. "Unless you can put a fingerprint on the screen next to the problem it will solve for you, you shouldn't install it … because it causes problems. Anytime you go through and make big changes to an application there's risk. And two, the updates, and even service packs for that matter, have a long glorious tradition of breaking SharePoint, and they can't be uninstalled. So if you install a CU just because it's new and shiny and it breaks something, you're stuck till the next one comes out and hopefully it'll fix it."
Microsoft's use of Windows Update to deliver SharePoint Server updates isn't exactly new, according to Klindt. In the recent past, Microsoft had sometimes pushed out a SharePoint patch in that way, which tended to "freak out" IT pros, he said.
"It has happened before, but it was always the exception and not the rule," he explained. Possibly, those previous Windows Update releases were trial balloons, he suggested, but now Microsoft is proceeding with it as policy.
While Klindt recommends using WSUS to control SharePoint Server updates, he hasn't seen many organizations using it.
"I would say with the customers that I've touched, almost none of them used WSUS," Klindt said. "It's really only for big organizations. Most smaller companies don't [use WSUS] because it's just one more thing to learn; it's just one more thing to manage."
Microsoft's new policy will mandate having a test environment in place, which can't exactly be perfect, according to Klindt.
"I think it's not possible to build and maintain a test environment that is exactly the same as the product, but that's one of those things where I don't let the perfect be the enemy of the good," he said. "All of your content is not going to be set up the same, but [having a test environment is] better than nothing at all."
Klindt said he thought that a lot of organizations don't get a view of what might break in advance by participating in Microsoft's fast- and slow-ring testing process. The hope is that testers will discover the major problems, and that things will get fixed about a month or two before the update rolls out.
Noteworthy this month is that both February CU releases for SharePoint 2010 and SharePoint 2013 include uber packages, which Gossner also called "full server packages." The presence of an uber package is important to note as an uber package includes fixes for all of the SharePoint server components. Microsoft has previously explained this uber package concept, saying that they are similar to "mini-service packs."
Microsoft also has non-uber packages to watch out for, according to Klindt.
"When I'm talking to customers, I tell them, 'Don't install a cumulative update unless [something bad has happened],' but when those non-uber ones come out, they scare the pants off me," he said. "Because, the reason those patches come out, those non-ubers, is because Microsoft didn't have time to test the uber -- didn't have time to put it all together. And now that the SharePoint team is committed to putting patches out on a patch Tuesday, they can't delay it and finish their testing … so that makes me even more scared of the patch, if that's possible."
Klindt noted in his blog post that IT pros still have to run the SharePoint Products Configuration Wizard after applying the updates, which Microsoft requires. It's a method for upgrading the shared components after patching the server. Klindt explained that the wizard can also be run via a command line interface, where Microsoft refers to it as "PSConfig." It's also possible to use PowerShell to carry out this task, he added.
"The way Microsoft wanted this [Products Configuration Wizard] to be able to be run is you could install the binaries in the background without incurring downtime, and then have your scheduled downtime whenever, and run the Configuration Wizard on all of the machines in your farm to lay the bits down -- swap out the old bits and put in the new bits. The Config Wizard also does a lot of cleanup things, like it verifies permissions on registry keys and verifies permissions on file systems and stuff like that. But you have to run it on every server on your farm every time you test your binaries."
Build-number tracking is also a concern for IT pros managing SharePoint Server installations. Klindt regularly updates listings for them, both for SharePoint 2010 and SharePoint 2013.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.