It has taken Microsoft four years to ship another service pack for Windows XP. After all that time, you might think that they’d get it right. However, even as SP3 went to RTM, problems cropped up with SP3, including problems that it caused with Microsoft’s own Dynamics line of software.

With the practically unlimited hardware and software combinations that are out there, you can’t necessarily blame Microsoft if things break when they ship something as significant as a service pack. Even simple patches and fixes can sometimes break things. That’s why it’s often a good idea not to configure Automatic Updates on Windows software. You need to have a strategy in place to deal with updates and to test them in advance.

Where to begin?

Of course, in some cases users can receive updates automatically and you don’t have to worry about them. For lower-level users doing noncritical work, you may think you can save yourself some time by just enabling Automatic Updates. Usually the places where updates and service packs cause the most damage is where you’re using custom applications or rely a lot on non-Microsoft solutions. So for those users, you may want to have a testing regiment in place before you allow them to receive updates. The main difficulty with such a strategy is that you can spend a lot of time doing triage.

It’s often easier to have a blanket policy in place. Either allow Automatic Updates for everyone, hope for the best, and deal with the fallout, or block updates for all users and distribute them on an as-needed basis once you’re sure they work properly.

Do-it-yourself distribution

It’s a gamble which is the better strategy. In the short term, certainly the most labor-intensive option is to block automatic updates and distribute them yourself. If you’ve standardized the workstations in your organization, you should keep back a representative machine with typically installed software. Apply the patches and do some testing yourself. If everything seems to be fine, then you can push the patches and service packs out.

Microsoft helps with the blocking of XP SP3 and Vista SP1 with the Windows Service Pack Blocker Tool Kit. Even if you have Automatic Updates installed, this tool will prevent them from loading the target service packs for up to a year. This gives you the flexibility of allowing Automatic Updates without having to worry about dealing with bad results from the service packs.

Another alternative is to set up your own update server and redirect workstation updates to it. Microsoft’s Windows Server Update Services will help you get that job done. Third parties create update services as well, such as PatchLink, PatchQuest, and Patch Authority.

Finally, you can also just create individual MSI files for each patch or update and then push them out via Group Policy. This takes a little more effort than the other solutions, but it gives you the maximum flexibility about who gets what and when. If you don’t like Active Directory and Group Policy, you can use things like ZENworks and LANDesk to do essentially the same thing.

Avoid fixes that break things

Service packs and updates have the ability to introduce as many problems as they fix. As an IT leader, you need to have a strategy in place before you deploy them. You may get lucky and not encounter any problems. However, it’s just as likely that when the updates fix one thing they break something else along the way. Do some testing in advance, and you can save yourself time in the long run.