WSUS vs. commercial software: Which is the better choice?

In the first of this two-part series, I compared WSUS (Windows Server Update Services) with its predecessor, SUS (Server Update Services).

WSUS boasts a variety of new features, better administration and a broader

Requires Free Membership to View

range of products and platforms that it could work with. But, how does WSUS compare with the commercial patch management solutions that are out there?

One aspect of WSUS may be seen as either a pro or a con, depending on the situation. WSUS uses group policy within a Windows domain to manage and distribute patches. Managing the WSUS patch environment requires access to both the WSUS policy management interface as well as the Group Policy snap-in. In some organizations, the person tasked with managing patches does not necessarily have the administrative authority they would need to administer the Group Policy snap-in as well.

Another consideration is that because WSUS relies on a machine-based GPO, configuration changes can take some time to propagate. The default timeframe for Group Policy refresh is 90 minutes. To force a configuration update sooner requires a reboot of each machine to get the update to take effect. Immediately pushing out patches on an urgent basis is much more complicated with WSUS than it is with most third-party patch management tools.

Arguably, the single biggest feature of commercial, third-party patch management applications in comparison to WSUS is that they are not limited in scope to only assessing and patching Microsoft operating systems and products. Even the most Microsoft-centric businesses still typically have a variety of non-Microsoft applications and operating systems running in some capacity. Relying on WSUS for patch management means manually assessing and patching these other products.

Products such as Patchlink's PatchLink or UpdateExpert from St. Bernard are capable of scanning systems across the network to discover vulnerabilities in both Microsoft and non-Microsoft products and manage the scheduling and deployment of any necessary patches. Products such as these generally provide more functionality and some extra bells and whistles, but they come at a price, particularly when compared with a free product such as Microsoft's WSUS.

If you are operating an entirely, or at least predominantly, Microsoft-centric network, WSUS is definitely worth taking a close look at. But, to do your due diligence and make sure you are choosing the best product for your needs, you should also examine some of the commercial patch management products available.

Tony Bradley, a consultant and writer, focuses on network security and antivirus and incident response. He is the author of About.com guide for Internet/Network Security, which offers a broad range of security tips, advice, reviews and information.

This was first published in October 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.