One big patch or a bunch of small ones...

    Aug 2002

    One big patch or a bunch of small ones...

    I was reading through some articles on the Security Focus site and came across one that brought up a good question:

    A recent XP security hole begs the question, do we really want Microsoft to release individual fixes for every bug?
    Do you guys think it would be easier to manage the patches if they continued they way they (M$) do now with a bunch of small patches for specific problems/vulnerabilities or one large patch that covers many. Which do you think would be more manageable from a security perspective? Isn't this kind of what they do with Service Packs anyway?

    The article talks about this as kind of a secondary question after speaking on a vulnerability in Windows XP that allows an attacker to delete directories on a victim's machine.

    You can find the article here .
    Jun 2002
    There are benefits to doing it both ways. A Service Pack or a patch cluster (as Sun calls their stuff) is a good baseline way to ensure a minimum patch level, and until they get quite large, there isn't a significant difference between just downloading a specific patch and installing it, versus installing and running an entire service pack (obviously as the cluster/pack becomes larger it takes longer to download and install).

    With the service packs on Solaris now, it can take 3-4 hours if you install them (obviously far from ideal); however, there are scripts that are available that do a little checking from what is already installed versus what is available at sun's site and can custom select those packages and download them and install them, whioh can save quite a bit of time. This is exactly what Windows Update does btw (and I am sure it has added things it does for Mr. Gates...but that is another rant)...

    So my answer would be both are very good The big clusters/service packs for getting the ball rolling, then the smaller ones for keeping the box up to date without waiting half a day for them to download/install...

