How long should we wait before deploying Vista / Server2008 SP2

Question

Now that Microsoft have released Vista & Server 2008 SP2 (see Lifehacker). How long should I wait before installing it on:

1. Stand alone machines
2. PCs on the domain
3. Windows servers
4. "Critical" Servers

Answer 1

I would give it at least a week before installing on anything but a test machine - I've never seen an emergency Service Pack retraction more than a day or 2 after release.

The next step is to deploy as fast as possible - it may contain security enhancements not in SP1 + Automatic updates. Part of deployment planning is testing in your environment. This would apply equally to system types 1-4 above. Vista SP2 does not have Server 2008 SP2 as a prerequisite, so this can be installed in any order.

If there are incompatibilities with SP2 and your environment, the actual timeline for deployment may be many weeks as these are resolved by either the application supplier or Microsoft.

Answer 2

In theory you've already tested application compatibility with the RC on a test system and server. Now that it's released the time to apply it is now. You should make a backup of your standard desktop image and apply the RTM version. After a quick test on your system (assuming you are not already running windows 7 RC) roll it out to a few test users (number 2 on your list) and after verifying that you have backups, roll it out to the standalone machines. (#1). While your users are verifying that it won't break their copies of solitare, you can chedule the reboots and downtime to deploy it to your 2008 servers. All of your servers should have a backup. This is critical as I have seen servers go belly up during the RC due to driver issues (servers that did not have updated drivers). If you've kept up on driver updates you can apply the SP2 to windows servers. (#3). You should now roll out SP2 to the rest of your userbase. I'm not sure by what you mean by "critical" windows servers. I'm guessing that those are nonredundant servers with high value business functions (which begs the question how critical can they be of they aren't redundant?). Ensure that they are up to date on the firmware/driver front before applying the SP and after a few days on the other servers I'd finalize the rollout.

Answer 3

I would deploy it today on test machines. Ideally you should then then test all critical applicaitons and then rollout once you are confident that they aren't impacted, and can schedule the down time with your users.

For servers you should have a good roll back strategy and the nature of the applications that they host should dictate when they get updated.

As long as your machines are otherwise fully patched against security exploits I wouldn't be too worried about rushing the SP on in the short term, but the longer you wait, the more vunerable you become.

Answer 4

This came up today in a conversation with our SysAdmin folks. A good time buffer is based on when the service pack is released to Windows Update and/or WSUS. Once it is released there, we deploy to test and development machines (and our own, IT-staff desktop if applicable). Then wait a month for the next round of "Patch Tuesday" fixes before pulling the trigger on pushing it out through WSUS.

So, it could take a few months, total, before we push it out broadly.

Answer 5

Patches should be deployed in the following manner.

One (your own machine)

Few (other admins/power users [this is where most of your problems will come from])

Many (Everyone else)

If they are not critical updates, wait about a week to deploy each series. But it's highly dependent on the TYPE of patch or Service Pack. Critical Security Updates should be applied ASAP, most everything else can wait a bit, especially Service Packs.