-1

Our 2008 R2 IIS web server needs to be updated. We have some critical client applications running on it, so we decided not to apply any patches due to the downtime. Now we've accumulated a backlog of about 75 updates, some dating back to 2012!

What should I take into consideration when applying a large backlog of patches? I'm particularly concerned about one of the patches breaking our .NET Framework 4.0 applications.

(I'm particularly interested in hearing about any gleaming issues with IIS / .NET framework 4.0 and windows 2008 R2 updates you might have experienced that caused you to have to revert back, if any.)

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
Ahsan
  • 111
  • 4
  • 3
    Ah, no? But that does not mean your application is compatible with all of them - so the usual "take a backup" basic rule applies, or do it on a VM and snapshot. At this stage I would ask myself whether not to move towards Server 2012 R2 and hire an admin that does not put my servers at risk for not applying high impact security patches. – TomTom Feb 25 '14 at 06:27
  • 1
    There used to be gotcha with .NET Framework 4.5 replacing the 4.0 assemblies with buggy ones, but that has been fixed in 4.5 SP1 afaik, so as long as you go to 4.5 SP1, you should be fine. – Matthew Skelton Feb 25 '14 at 10:34
  • Who ever left a down vote should have left a comment why this is a bad question, really. – Ahsan Feb 27 '14 at 02:12
  • Katherine did a great job helping you out, but your question is very poor. Asking such a broadstroke question as "did anyone..." is too far reaching, but fortunately she salvaged it with her answer. – TheCleaner Feb 27 '14 at 14:46
  • I'm not the person who downvoted you, because I think "I took over a web server that needs 75 updates dating as far back as 2012. What are the considerations in applying a huge update backlog? I'm particularly concerned about our custom apps that use .NET framework 4.0," is a reasonable question. That's the subtext but not the literal phrasing of the question you asked. (The "I'm not the admin who did it, I just took over" was even in a now-deleted comment.) – Katherine Villyard Feb 28 '14 at 12:45

1 Answers1

7

At this point, with 75 updates, if something goes wrong it'll be hard to pick out which one broke things. That calls for extra caution, in my opinion.

If this is a VM:

  1. Clone the VM.
  2. Patch the clone. If this is a success:
  3. Take a snapshot of prod.
  4. Patch prod. In case of disaster, roll back.

If this is physical hardware:

  1. Patch any "test" environments you have. (If you don't have one, consider creating one.) Assuming success:
  2. Take backups of prod.
  3. Test restoring your backups.
  4. Patch the server. In case of disaster, roll back, via restoring backups if necessary (but hopefully only through uninstalling patches).

All that said, you're looking at two years or so of critical and security patches, so it really has to be done, IMHO. The risk of all those unapplied security patches outweighs the risk of app breakage.

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59