Microsoft offers a free network scanner for determining patch levels, HFNetChk, which is licensed from Shavlik Technologies, one of the vendors in this review. HFNetChk is a command-line tool that downloads a 1.1-MB XML database-like file called mssecure.xml. The database is publicly available and may be integrated into other products, including homegrown scripts (see "A Heap of Trouble" for more information).
Driven by the mssecure.xml database, HFNetChk scans the registry, as well as, in some cases, file-version information, patched DLLs and file-checksum information. The tool will give you a snapshot of the patch levels on the machine or network in question, but you'll still have to do the footwork of manually installing the needed patches.
HFNetChk works as advertised, and the CLI lets script-savvy administrators whip up some automated tools.
Microsoft provides another security utility to help with patch configuration: Microsoft Baseline Security Analyzer, or MBSA, also licensed from Shavlik. Although MBSA uses HFNetChk, it has a wider but shallower focus: It doesn't dig as deep on the patch-configuration front but does provide the user with information on high-risk vulnerabilities in account management, IIS, SQL Server and network configuration.
Both tools have come under some criticism following heavy scrutiny and reports of both false positives (reporting as "not installed" patches that were, in fact, installed) and false negatives (not reporting patches that were not installed). See the Neophasis Archivesfor more details.
Microsoft HFNetChk (free)
Microsoft Patch Database for HFNetCHk
Microsoft Baseline Security Analyzer