We support small business clients so massive and expensive that testing isn't justified. I almost always wait for at least 24 hours before installing the updates on even my personal PC. After using myself as a 'crash test dummy,' I then install them on our office systems. If things are still looking good after that I'll allow WSUS to install them at my clients' systems.
I figure letting somebody else do the initial "beta" testing is a good plan!
Servers: The day after updates are released. (Except for some major updates to Exchange/SQL Server/etc. That require more planning.)
Test Group: The day updates are released.
All others: Six to seven days after the test group have been updated.
We do look at each update in depth prior to deployment but look at ALL of them as mandatory as they almost always fix a specific vulnerability. We have approximately 700 computers/servers to update.
Do we test every patch? No. With hundreds of Windows Servers and thousands of Windows workstations, it would be impractical (if not impossible) to test every patch in every configuration.
We use a 'layered' approach:
- We deploy patches monthly, giving a few days for Microsoft and others to see if any patches cause problems.
- Then we deploy on a handful of servers/workstations deemed 'not critical' and monitor irregularities.
- A day or so later we deploy to the general population of servers/workstations, but not to any server/workstation deemed ‘critical.'
- A day or so after that we deploy on critical servers and workstations.
For us, this is usually a three-day process and we haven't had any major issues in the many years we've employed this method.
We use WSUS and divide our computers into three categories (non-critical, general and critical) and set each category to deploy patches at the different times so we can stop and/or rollback if we see any issues. We typically do this over a weekend to avoid production hours.
Of course if there is a really critical patch that needs to go out immediately, we circumvent this process and test before we deploy.
We have 5,000 PCs and 250 servers to patch. If the online community is not filled with horror stories by the Thursday following Patch Tuesday we release them all to our environment via WSUS.