Patch Managers Need Perfecting

The agent products we tested didn't pose a substantial burden to user workstations or network servers. The agents also don't rely excessively on Windows services, such as Remote Registry and Server services--an added benefit, particularly for "hardened" server environments. The agents we tested ran as services on our client computers. They are easy to install and do not appear to affect working environments. Agent products also let you target systems more precisely, a feature that becomes more important with granular or small-scale patch deployments. Finally, the agent products can retrieve quite a bit of information beyond basic patch levels, including user names, application lists and available system resources, modestly increasing the amount of control you have over patch distributions.

We found the agentless products less informative than the agent ones, but also less complicated to install, and what we lost in information we gained in simplicity. In organizations where resources are already strapped, this may be important.

Report Card click to enlarge

The agentless products generally performed patching as well as their agent-based brethren. We successfully discovered all our targets, including our standalone systems, with all the agentless solutions except Gravity Storm's Service Pack Manager (SPM) 2000. SPM relies on WINS (Windows Internet Name Service) queries and had difficulty locating systems outside our Active Directory, and even then it couldn't properly enumerate the AD tree.

Rollback: Why Care?

Ever deploy a critical patch without first performing a full regression test, only to be called in by the helpdesk early in the morning to figure out why, suddenly, no one can log on to the network? If so, you probably wanted to undo the deployment magically. Enter rollback.