Yesterday I babysat a Windows 2008 R2 server for three hours applying multiple rounds of Windows Updates. This is not a good use of my time.
This is a server that cannot apply updates automatically; I have to schedule maintenance windows in order to reboot the server. I want to bring Windows completely up to date during that maintenance window, which often means multiple rounds of a check-for-updates/download-updates/apply-updates/reboot cycle.
I know that I can download updates and apply them manually, but that doesn't really help when Windows determines after the first round of updates that it needs to apply even more updates.
The biggest problem is that it can easily take ten minutes for Windows to determine what updates it needs to apply. It can then take easily another ten minutes to download these updates. Then it can take ten minutes to reboot and finish the update installation. If it decides that you need three rounds of updates, that's an hour and a half, and that assumes that Windows doesn't freak out and make one of those steps take forever, or fail, making you start over.
Is there any way to determine all of the updates that would be needed to bring a Windows system up to date beforehand, so that I can just apply them all by hand and avoid having to wait for Windows to perform its interminably long checks and ridiculously slow downloads multiple times during my maintenance window.
(I feel like this should be a FAQ, but I can't find it.)
WSUS. Just installed it myself a few weeks ago and it's making my life much easier.
As far as I know, no, not really. The core problem is that Windows Update doesn't flag an update as needed if a prerequisite update is missing. It does this to prevent attempting to install an update whose prerequisite has not yet been met, which could lead to system that won't even boot. It's potentially very complicated to generate a list of missing updates that accounts for prerequisites, superseded updates, etc. that accounts for all software installed on a system including software that will be installed by each patch or update in the chain.
About the best you can do is use a patch management system like WSUS to see that a server doesn't have certain updates installed. If you see a server missing monthly updates from the last six months, you know it might need multiple restarts if the same system was patched multiple times or upgraded and then patched.
Note that if you wait long enough, you'll find the same issue to be true with Linux updates as well.
The best way to avoid the situation it is to patch often.
Yesterday I babysat a Windows 2008 R2 server for three hours applying multiple rounds of Windows Updates. This is not a good use of my timeDon't wait so long between update cycles. Microsoft releases updates every second Tuesday of every month (for the past 13 years). If you install patches every month you'll (almost) never have more than a single download/install/reboot cycle per server.