IT shops won't see a second service pack for Windows Server Update Services until Microsoft releases its next version...
of Windows Server.
WSUS SP1 has been available since February 2008. Marc Shepard, Microsoft's WSUS lead program manager, said that a second service pack is in the works. Mainly, it will support the version of Windows Server beyond Windows Server 2008 and its Server Manager.
Microsoft hopes, but does not promise, that WSUS SP2 will address one vexing problem that is a source of customer complaints. They want the addition of a baseline compliance report that can show when computers are out of compliance with updates that have been approved for install, Shepard said.
Currently, customers can generate this sort of information in WSUS themselves by extending the functionality by using public API and public database views. Shepard hopes this issue will be resolved in the next version of WSUS.
"A baseline compliance report will likely be added to the next version," Shepard said. Beyond SP2, Shepard said Microsoft has made no firm plans for WSUS.
WSUS adds muscle
WSUS was once considered a rinky-dink patching tool for small to medium-sized businesses, but that has changed a bit provided you run a Windows shop. Since the release of Windows Server 2003, WSUS has taken on a higher calling as a competitor to commercial, enterprise patch managers. Shepard said one WSUS server can support 25,000 clients and can possibly be scaled out even further.
These improvements have not escaped the notice of some enterprise IT managers that have paid for their patching tools. "We're actually thinking about switching to WSUS," said Jason Nord, integration technologist at Land O'Lakes Inc., the St. Paul, Minn.-based farm cooperative known for its dairy products. "[WSUS] has come a long way."
Nord said that given the cost and the feature set of his current patch manager, and given the ability to do scripting and make other modifications using the free Microsoft tool, WSUS might be a better long-term patch manager for his company. Land O'Lakes currently does use WSUS to patch some of its desktops.
The main difference between WSUS and other patch managers sold by companies such as Shavlik Technologies and Symantec Inc. is that WSUS is limited to distributing Microsoft updates. IT managers also have the option of buying Microsoft System Center Essentials or Microsoft Configuration Manager to distribute third-party patches. It's unlikely that WSUS itself will ever handle third-party patches, Shepard said.
WSUS is able to patch virtual machines by way of the System Center Virtual Machine Manager, though it is not able to patch virtual applications. "That may be a feature in a future version of WSUS," he said.
Currently, all Microsoft products that handle the task of update management are using the WSUS server and Windows Update Agent, giving all Windows tools a consistent scan engine, Shepard said.
Shepard said IT managers are often unaware of what they can do using the WSUS public API and software development kits. To cite a few examples, there is the ability to create a compliance report using the API, and there's the Visual Basic script that lets IT drive the Windows Update Agent to interactively install updates. Also, there are ways to create scripts to control how servers in a Web farm are updated.