News

Microsoft Switches Gears on SharePoint Server Update Delivery

Future updates to SharePoint Server, including non-security updates, will be delivered to organizations automatically through the Windows Update service, Microsoft said this week.

The policy change was announced in a blog post Thursday by Stefan Gossner, a senior escalation engineer for SharePoint at Microsoft. The change took effect with this week's release of cumulative updates (CUs) for both SharePoint Server 2010 and SharePoint Server 2013, according to Gossner. His advice on installing the CUs for SharePoint 2010 can be found here, and for SharePoint 2013 here. He also published details on the particular security fixes released this month in another blog post.

Windows Update delivery implies automatic installations. That could be a scary prospect for IT pros lacking controls preventing automatic installations. And despite Microsoft's new policy, IT pros are obligated to test these CUs before adding them to a production environment. Gossner offered a warning to that end in his blog post. "A caveat [to CU delivery through Windows Update] is that evaluating the fix in a test environment before applying it on the production farm will be more complicated," Gossner wrote, without elaborating.

Don't Install CUs Automatically
Todd Klindt, a Microsoft SharePoint MVP and SharePoint principal architect at Rackspace, noted that the CUs will now show up in Windows Update as Important updates, meaning that they get installed automatically, without notice.

"I recommend either setting Windows Update on each server to 'Download only' or I recommend using WSUS [Windows Server Update Services] to push patches out to servers," he said.

Don't install a CU unless it addresses a problem, he explained.

"Since the beginning of time, or since SharePoint 2010 came out, whichever comes first, my guidance has always been not ever to install a cumulative update unless it fixes something that you're experiencing is broken," Klindt said in a phone call. "Unless you can put a fingerprint on the screen next to the problem it will solve for you, you shouldn't install it...because it causes problems. Anytime you go through and make big changes to an application, there's risk. And two, the updates, and even service packs for that matter, have a long glorious tradition of breaking SharePoint, and they can't be uninstalled. So if you install a CU just because it's new and shiny and it breaks something, you're stuck 'til the next one comes out and hopefully it'll fix it."

Microsoft's use of Windows Update to deliver SharePoint Server updates isn't exactly new, according to Klindt. In the recent past, Microsoft had sometimes pushed out a SharePoint patch that way, which tended to "freak out" IT pros, he said.

"It has happened before, but it was always the exception and not the rule," he explained. Possibly, those previous Windows Update releases were trial balloons, he suggested, but now Microsoft is proceeding with it as policy.

While Klindt recommends using WSUS to control SharePoint Server updates, he hasn't seen many organizations using it.

"I would say with the customers that I've touched, almost none of them used WSUS," Klindt said. "It's really only for big organizations. Most smaller companies don't [use WSUS] because it's just one more thing to learn; it's just one more thing to manage."

Microsoft's new policy will mandate having a test environment in place, which can't exactly be perfect, according to Klindt.

"I think it's not possible to build and maintain a test environment that is exactly the same as the product, but that's one of those things where I don't let the perfect be the enemy of the good," he said. "All of your content is not going to be set up the same, but [having a test environment is] better than nothing at all."

Klindt said he thought that a lot of organizations don't get a view of what might break in advance by participating in Microsoft's fast- and slow-ring testing process. The hope is that testers will discover the major problems, and that things will get fixed about a month or two before the update rolls out.

Uber Packages
Noteworthy this month is that both February CU releases for SharePoint 2010 and SharePoint 2013 include uber packages, which Gossner also called "full server packages." The presence of an uber package is important to note as an uber package includes fixes for all of the SharePoint server components. Microsoft has previously explained this uber package concept, saying that they are similar to "mini-service packs."

Microsoft also has non-uber packages to watch out for, according to Klindt.

"When I'm talking to customers, I tell them, 'Don't install a cumulative update unless [something bad has happened],' but when those non-uber ones come out, they scare the pants off me," he said. "Because, the reason those patches come out, those non-ubers, is because Microsoft didn't have time to test the uber -- didn't have time to put it all together. And now that the SharePoint team is committed to putting patches out on a patch Tuesday, they can't delay it and finish their testing...so that makes me even more scared of the patch, if that's possible."

Klindt noted in his blog post that IT pros still have to run the SharePoint Products Configuration Wizard after applying the updates, which Microsoft requires. It's a method for upgrading the shared components after patching the server. Klindt explained that the wizard can also be run via a command line interface, where Microsoft refers to it as "PSConfig." It's also possible to use PowerShell to carry out this task, he added.

"The way Microsoft wanted this [Products Configuration Wizard] to be able to be run is you could install the binaries in the background without incurring downtime, and then have your scheduled downtime whenever, and run the Configuration Wizard on all of the machines in your farm to lay the bits down -- swap out the old bits and put in the new bits. The Config Wizard also does a lot of cleanup things, like it verifies permissions on registry keys and verifies permissions on file systems and stuff like that. But you have to run it on every server on your farm every time you test your binaries."

Build-number tracking is also a concern for IT pros managing SharePoint Server installations. Klindt regularly updates listings for them, both for SharePoint 2010 and SharePoint 2013.