One big patch or a bunch of small ones...

I was reading through some articles on the Security Focus site and came across one that brought up a good question:

Quote:

---

A recent XP security hole begs the question, do we really want Microsoft to release individual fixes for every bug?

---

Do you guys think it would be easier to manage the patches if they continued they way they (M$) do now with a bunch of small patches for specific problems/vulnerabilities or one large patch that covers many. Which do you think would be more manageable from a security perspective? Isn't this kind of what they do with Service Packs anyway?

The article talks about this as kind of a secondary question after speaking on a vulnerability in Windows XP that allows an attacker to delete directories on a victim's machine.

You can find the article here .

There are benefits to doing it both ways. A Service Pack or a patch cluster (as Sun calls their stuff) is a good baseline way to ensure a minimum patch level, and until they get quite large, there isn't a significant difference between just downloading a specific patch and installing it, versus installing and running an entire service pack (obviously as the cluster/pack becomes larger it takes longer to download and install).

With the service packs on Solaris now, it can take 3-4 hours if you install them (obviously far from ideal); however, there are scripts that are available that do a little checking from what is already installed versus what is available at sun's site and can custom select those packages and download them and install them, whioh can save quite a bit of time. This is exactly what Windows Update does btw (and I am sure it has added things it does for Mr. Gates...but that is another rant)...

So my answer would be both are very good :) The big clusters/service packs for getting the ball rolling, then the smaller ones for keeping the box up to date without waiting half a day for them to download/install...

/nebulus