Patching Windows Server 2012 – The New Wild West
A week or so ago, I was excited to find out that Microsoft finally published a KB article that listed the recommended hotfixes and updates for Windows Server 2012 failover clusters (KB 2784261). Microsoft has done this for the major versions of Windows for the past few years (example: Windows Server 2008 R2 SP1 [KB 2545685]). These are great articles because they are very focused on WSFC. However, my excitement for the Windows Server 2012 article is severely dampered. Why?
If you compare the two, notice that W2K8 R2 SP1’s article lists all hotfixes. Look at what W2012 shows in Figure 1:
Cumulative Updates? Oy! Let me preface this comment: I’m a Cluster MVP so inherently as much as I’m a SQL guy, I’m a Windows guy, too. I’m not about biting the hands that feed me but this scares the bejeezus out of me. Cumulative updates are a new concept for Windows, and I’m not sure what cumulative means in Windows. I know what it means in SQL Server. And if you click on the link in that article, you get no information (zero, nada, zilch, nil) about what is in that package. Compare that to a SQL Server CU such as SQL Server 2012 CU5. Even if Microsoft decided to have a hidden fix or two for whatever reason (and I have no reason to believe they have), you’re still getting a list of everything in there. That Windows update? You have no idea. Microsoft is basically asking for blind trust here.
WSFCs (as well as clustered instances of SQL Server [FCIs] and availability groups [AGs]) are usually put in because someone has a need to be up and running – hence mission critical. Something like a cumulative update sends off warning bells for me because instead of directed fixes like the W2K8 R2 SP1 KB which lists some individual hotfixes, you’re getting a ton more fixes that you will eventually get in, say, a service pack. Yes, you will consume them in a service pack, but that is a different beast than something like a CU. For example, on Windows, certain things you don’t want to touch if you don’t have to or until you need to – like TCP/IP. The stability of the networking stack is somewhat important, wouldn’t you say? This is why you don’t apply hotfixes willy nilly, and you certainly don’t apply a metric ton of them (we don’t even know how many fixes are in that CU) “just because”.
And let’s not even get into things like GDR branching (which I wrote about a little here). With a hotfix, you’ll only blow a few things off of the GDR branch. With a CU, you may blow many things off the GDR branch – some of which you didn’t intend to. That is not a good thing in my opinion, and when I have no clue what is in the update – that’s why this new patching method scares me. I don’t know why Microsoft does not list what’s in the CU for Windows, but right now, I would be wary of applying it unless you do your due diligence and test fully in a non-production environment.
My sincere hope is that Microsoft goes full disclosure with these new CUs for Windows and tells us what’s in them just like the SQL Server CUs show (and also link to the individual KBs). If not, even I will have a hard time recommending them to my customers unless I absolutely, 100% with no question know it fixes a specific problem of theirs. This to me is a step in the wrong direction in how we will patch our Windows Server 2012 boxes.