As a small software development company, we run a few Windows production webservers and manually install Microsoft updates and security patches. Most of the time, a restart is required.
After the updates are installed and the server asks for a restart, is the server during the time between this message and the restart somehow more vulnerable, or is it perfectly in order to delay the restart (and the security level remains the same as before)?
The server needs to reboot to finish patching files that were in use during the patching process, leaving your machine in an inconsistent state (IE installing updates and then letting it run) leaves your machine at greater risk as you are between two states.
The first before you patched as a known good level of Microsoft updates.
The second state is your machine running the latest set of Microsoft patches.
What you are creating is a third state where some files are updated whilst others aren't, the question isn't really are you more at risk (Because the answer seems an obvious yes) its what steps would you take if your machine was comprimised during this inconsistent state? I would imagine Microsoft would say to you what they said to me in the past 'Oh dear I'm very sorry, rebuild your machine it wasn't in a configuration we support'
If you're patching your machine do it in one hit, apply the patches and immediately reboot it - even if it means staying around out of hours to do it. If your application is that critical that you cannot manage a 5 minute reboot outage then you ought to be looking at extending your infrastructure to cope with it (ie: Multiple load balanced servers).
Delaying the server restart after patches have been applied is something you really, really should avoid.
This would leave the server in an inconsistent state, where some parts of a patch have been applied and some not, and the problem here is not as much about security as about stability: after a patch installation and prior to rebooting you can have all sorts of incompatible DLLs around your system.
I had a really bad experience with a Windows Server 2003 domain controller which was patched (by someone else than me) and not restarted for a whole week. During that week, every authentication request processed by that DC failed because it was not working properly, and this created quite a big mess on the network. The problem has been somewhat mitigated since Windows Server 2008 (which does the "real" patching during the shutdown and boot phases), but I'd personally never leave a server online when a patch restart is pending.
I don't agree with the accepted answer: If an update requires a reboot, the actual patching and changing of the system happens at the reboot?
Even if it is good to restart the system timely after updates that require a reboot, I believe it is best to apply updates always immediately after if they occur, even if a reboot will be postponed for several hours or even days.
Additionally: None of the Microsoft articles describing update postponing states, that there is a non-security risk when postponing.
Summary: - I would guess its best to apply (at least security) updates always immediately . - Postponing an updates for a day a two is a lesser concern over the benefits of applying security patches immediately.