How can I assess the impact of WSUS updates before releasing them?

Question

If I administrate an on-site WSUS instance, I am responsible for releasing updates to domain-joined PCs according to some policy guidelines. Is there some sort of metadata or technique I can use to assess the impact to end users before deciding when to release an update.

The specific scenario I am trying to address is the occurrence of apparently smaller updates that require restarts and take an absurd amount of time to complete. On several occasions I have seen PCs that attempt to 'shut down and apply updates' from the Start Menu at 5 PM and sit for over a half hour while they grind away at the hard drive. These are modern, fast machines with SSDs and 8Gb or more of ram. My only theory is that these updates must be scanning the whole disk for some reason. If these updates are flagged in some way, I would like to hold them back until a planned downtime day.

Are there any other options beyond applying them individually and timing them with a stopwatch?

Answer 1

There's not much more of an option beyond applying them individually and measuring the load or time. You could use a farm of VMs to test them, but there are too many variables to even begin to control for.

Since Vista, the reason many updates take a long time is that they're packaged as "diffs". These updates are really just a list of modifications with which the originals must be combined with in order to produce the patched file. The larger or more complicated the update or original file, the longer it will take. This can be intensive in CPU, RAM, and disk I/O.

If applying updates during the day is becoming an issue, you might want to look into another strategy.