The Pros and Cons of Automatic Updates - Page 2
The problem with an automated system is that an administrator can quickly lose track of changes that are being made to his or her systems when those changes don't actually require the administrator's intervention. This may seem relatively minor, but consider the following example. A recent security update from Microsoft was presented to systems by the automatic update even though it had a prerequisite of a particular service pack level that had not been met by all of the systems.
When installed, the patch caused an incompatibility with a core DLL, resulting in systems that would halt with Stop errors on restart (see Q318533 and related articles). Had the install been performed manually, the administrator would have been clued right away to the prerequisite.
Making matters worse, the automatically installed updates in this case were put in place a few days prior to the restarts, preventing them from being immediately associated with the errors in the mind of the administrator. As you can imagine, diagnosing the issue took considerable time that could have been avoided had the install required manual approval.
As mentioned earlier, though, there are numerous advantages to the automated system. My personal preference is to have automatic updates on systems that I am physically close to and that are not in critical settings. For more mission critical machines, I like to monitor for updates by subscribing to Microsoft's Product Security Notification Service and scheduling times to apply the fixes based on severity of threat, applicability, etc.
As the number of threats increase, it is becoming more and more critical that hotfixes be applied in a timely manner. The same holds true for service packs. It can be a risky proposition to allow time to go by before patching your system.
One final note — remember that those with malicious intent also subscribe to the NTBugTraq and MS Notification services. To them, these services provide a list of new things to look for and try. If your system is already patched when they come looking, they'll just have to move on to the next one.
This feature originally appeared on Enterprise IT Planet.