Microsoft To Debut, Demo Software Update Services 2.0 Next Week

The beta is expected to be announced at the company's annual management software show in Las Vegas next week and be available by the end of the month but the actual release of the code into the hands of select testers may slip until April, sources said.

The long awaited patch management server code for Windows Server 2003, expected to ship in mid-2004, has been significantly enhanced and will include support for the first time for Office, SQL Server and Exchange patches, as well as new hooks for ISVs, sources said.

One Microsoft Software Update Services insider told CRN via e-mail recently that the beta was scheduled for late first quarter and the final release in late second quarter of 2004.

SUS 1.0, which hit the market two years ago, provides support for Windows critical updates, patches and updates only.

"It address more than the operating system now, the application stack as well, and it's a way to get secure and stay secure," said one source familiar with the SUS 2.0 plans. "SUS is not just for the OS but Outlook and Internet Explorer are covered as part of core [SUS 2.0] now and third party vendors will have hooks they can develop to."

Microsoft declined to confirm or deny this report.

Microsoft CEO Steve Ballmer promised at the Momentum Partner Conference in October that SUS 2.0 would go a long way toward providing better and faster patch management and support for applications beyond Windows.

So far, the beta code is said to deliver on much of what is promised.

"I thought maybe Office [support] wouldn't make it in but SUS 2.0 will include support for Office and SQL and Exchange," said one source in the partner community. ""It has the enhanced reporting, but only if you connect it up to a Microsoft SQL Server."

Sources said most of what was promised is in the beta but users will be required to update their PCs with Windows XP Service Pack 2 client update, also due midyear.

The security enhanced Windows XP SP2, which was demonstrated Monday at CMP's XChange partner conference in Nashville, Tenn., will integrate a SUS 2.0 client, according to documents viewed by CRN.

"There's a horde of new features in SUS 2.0," said another source familiar with the SUS 2.0 plans. "The highlights are SQL Server database and MSDE, web-based reporting, targeted distribution, Windows Installer 3.0 support, support for many more applications including IE, Office and SQL server. On the downside, however, it will require managed computers to be running Windows 2000 SP4, Windows XP SP2, and Windows 2003 SP1 and above."

According to information available on the company web site, Microsoft plans to ship SUS 2.0 along with Microsoft Update midyear. Microsoft Baseline Analyzer 2.0 is also expected to debut over the next few months.

According to a Microsoft report on patch management on the company wbe site, SUS 2.0 will offer increased administrative flexibility, simplified patch management and update management, and system rollback functionality to previous configurations in the event of a bad install.

Microsoft's SUS 2.0 will also make it possible for users to target updates to groups using Active Directory Group Policy or static list-based non-Active Directory definitions.

Reaction in the channel is mixed. While many Microsoft users expect to use the free software, others have adopted third party patch management solutions, partners say.

"Considering all of the issues in the past year with holes found and patches, it's definitely important going forward because it's an easy way to push out patches and fixes especially for vulnerability issues. Prior to SUS, it was a manual effort," said David Pearce, president of Rutter Networking Technologies, a solution provider in Woburn, Mass. "If we are doing work on our clients' LAN, we'll recommend SUS 2.0 be deployed and any network designs we do we will include it."

One executive at @Stake said the release of SUS 2.0 is important to Microsoft but patch management is a big problem and most customers have turned to third party solutions to deploy the myriad of patches that have been released along with many worms and viruses over the past six months

"I don't get the feeling anyone is waiting with baited breath. There's no urgency for Microsoft to produce any tool," said Jason Chan, Seattle-based principal security architect for @Stake, a security consulting firm headquartered in Cambridge, Mass. "A good number of people are using non-Microsoft products to patch Microsoft software like Shavlik, PatchLink and Big Fix."

Microsoft Update, currently known as Windows Update, is the hosted service that will support patches, updates and service packs for Windows 2000, XP, Server 2000 and 2003 operating systems as well as Microsoft Office 2003, Microsoft SQL Server 2000, and Microsoft Exchange Server 2003, according to sources. It is due to be finished midyear, sources said.

Microsoft Baseline Security Analyzer 2.0, also planned for release during the first half, will offer tight integration with SUS 2.0 and Microsoft Update, according to Microsoft's report on SUS 1.0 and SUS 2.0.

The version 2.0 update is expected to offer enterprise level scanning with support for centralized storage to either a SQL database or a network store. Additionally, MBSA 2.0 is expected to offer a configurable engine check via a common engine framework, enhanced support for Microsoft Systems Management Server and integration with stand-alone tools like IISLockdown and SQLScan. Microsoft recently released MBSA 1.2.