I test all patches. The testing is geared to getting a feel for what might break. Other patches we test for two weeks. The only 'updates' that do not get installed at release are application dumb stuff like IE upgrades. In general, our view is that security patches are released for a reason.
Here are my brief thoughts on Microsoft patching -- as a Microsoft partner and VAR -- for most of our customers (but not all) that do not have their own in-house IT staff. In 95 percent of circumstances we install and configure WSUS 3.0 to automatically download, approve and install the updates. We have been doing this strategy for about three years -- ever since WSUS 3.0 came out.
That means as long as a computer is on it gets updates. Here are the results:
- Randomly some older Server 2003 servers hang at 'Windows is shutting down,' but not most
- Only time we've been burned was an update that killed Exchange 2007 OWA on Server 2003 x64
Otherwise, I run on the assumption that the updates do more good than harm.
Our practice is to apply all new patches to I/T workstations and a few non-production servers, and let them run for a day or two.
If no problems occur, we have a small set of 'regular users' that get all patches (one or two from each office) for a day or two.
If no problems there, then all patches are pushed out to remaining computers.
Probably takes a week to ten days to get everything patched -- 350 PCs and 40 servers.