On Oct 27, 2011, at 8:57 AM, Wong Boon Hong wrote:
Even Microsoft patches have been known to break down something in the past. Thus, I will let others test the new patches first for a few weeks or even months before I apply them just to ensure that any problem with these patches would have been fixed by then. Applying a few patches at once will also help to cut down on the number of downtime, especially when most patches insist on rebooting your OS.
This sounds oddly dangerous to me. Definitely not what you want to be doing when there's a worm with a 0 day making it's way around. Probably the best way would be to filter ingress and egress traffic at your perimeter just in case you have been hit by the 0 day but again, I don't advocate the idea of let everyone else "test" security patches for a few months especially on any internet facing machine.
The worst I had encounter is applying AVG anti-virus patch which cause Windows completely unbootable! But this is easily fixed.
The most fearful is applying ESX patch which never check for sufficient storage
in it's own temp partition first before proceeding and then to fail halfway thru and incompleted update cause the whole hypervisor unbootable!
Maybe the above can be solved by double checking the list of items to prepare before an upgrade(?)