From: "Geo" 

"Hrvoje Mesing"  wrote in
message news:42fe00cd{at}w3.nls.net...

> Or have a SUS server, block it to windows update, get patches from
elsewhere
> to Stick, Import to SUS (MS method, or give Your self a lil time to figure
> the alternate way :), auto patch machines :)

this solves nothing, you still have 30 patches to organize just for August alone.

Lets simplify this discussion, pretend the goal is to put all the service
packs and patches on a 4gig usb memory stick so you can carry them with you
to whatever machine you are working on at the moment so that a network or
internet connection is not required before the machine is fully patched.

Ok, now for anyone who's actually done this you know that the recent w2k
rollup is an absolutely HUGE help, it eliminated about 20 minutes of work
for each machine you have to patch. But we are already back up to 26 or 27
post rollup patches now so it's getting out of hand again because each
month brings 4, 5, 6, more patches.

So the question I was asking was, if MS knows they are going to patch 6
different issues for august, why not release one patch for W2K that fixes
all 6? My point being that the end users should be expected to track all
these separate patches, I mean that's silly, that's like saying hey instead
of 6 patches where each patch replaces 5 or 6 files why don't we just
release 42 different patches, one for each file that's been updated..

It's really dependent on your point of view, MS is aiming at delivering a
solution for each exploit, probably because they track this stuff by
exploit. But anyone who requires these patches doesn't see it that way,
their concern is being patched to current levels. It's not like there is a
choice, you can't ignore the recent spooler patch because it breaks some
program that requires anonymous null access to the spooler, if you ignore
it you aren't secure so you may as well not have any patches at all. Even
if you do ignore it, this means you are now exposed to untested
configurations where you have old files that aren't tested when new patches
are released so you may be in for even more problems.

For anyone concerned about security it would be much better to have a
service pack, a rollup, and then one patch per month. Or even a rollup that
is updated each month so there are just 2 things to apply. The rollup could
possibly display a checkbox list of all the patches it contains so you
could unselect one but I really think that's a bad idea.

Geo.

--- BBBS/NT v4.01 Flag-5