Be Careful with WSUS Updates!

Updating SBS servers used to be a fairly simple and straightforward thing, especially as it comes with WSUS (Windows Serve Update Services).

My practice when installing SBS is to disable WSUS from automatically installing any updates. That allows me to decide which updates should be installed, and when. More importantly, it allows me to skip certain updates.

I have also made it a habit to install any .Net updates separately from all other updates. And if there are more than one .Net update to be installed, I install them one at a time. I have since extended that to other server apps managed by WSUS, such as Exchange, SQL, and SharePoint.

But what do you do if there is an update to WSUS itself, and that update breaks WSUS?

That’s exactly what happened when KB 2720211 was released earlier this month (June 8th, 2012). Soon afterwards, we started getting reports of this  patch failing to install, leaving WSUS in a broken state.

image

Microsoft released a blog post on June 20th addressing common issues with installing KB 2720211 and how to fix them. Please read the post closely, and especially heed the advice to perform basic health checks of your WSUS server, such as running the WSUS Cleanup Wizard!

This reinforces the need to remind yourself of your process as to how you install patches. Mine include:

  • Make sure you have a good backup of your server before proceeding
  • If possible, reboot the server before installing major updates, such as service packs or rollups
  • There’s no reason to be the first kid on the block to install certain updates. I regularly will wait a week or two after major updates or patches have been released, and monitor the SBS Official Blog site and the Microsoft SBS Forum to see if any issues have been tracked.
  • Install security patches first.
  • Install server apps, such as .Net, Exchange, Sharepoint, SQL, WSUS separately from all other updates, and install such updates one at a time.
  • When all updates have been applied, I reboot the server and then check the event logs for any issues.

Leave a Reply