So I’m sitting in a meeting today and just before it starts I pipe up and say "Has everyone made sure to get today’s out of band update?"
Blank stares.
"Oh come on guys it’s important, make sure you download it."
"What the hell are you talking about?" someone asked.
"Today’s security update!" I said.
"Oh, I have mine set to automatic, what’s the big deal? It will install like normal right?"
"Yes," I replied, "but this is out of band so you might want to force install it now."
"What the hell is out of band?" someone else asked.
"It’s when we release outside of the monthly update cycle," I said, "that’s rarely done, and only for severe issues we see in the wild."
"We do them monthly?" the first person said, "I never noticed, how long have we done that?"
That’s when I realized it is five years ago this month.
You see, before Oct 15th, 2003, we released security updates every week on Wed. at 10am pacific. There was no advance notice, you either checked the security site or Windows Update on Wed. mornings or you weren’t responsible for security updates in your org.
I remember at the time I was very much against moving to monthly updates. It struck me as leaving people vulnerable for way too long.
Boy was I wrong. A couple of customer visits cured me of that notion, as I saw first hand how customers could not handle having critical updates every seven days. The risk model to update reaction time was not scalable for even medium sized organizations. After a ton of research, 30 days was determined from customer feedback to be the optimum spread to make sure organizations could evaluate and deploy updates on a manageable schedule. I think it’s turned out well. (weirdly, Oracle would later mimic us but feel like they had to make it different so they made quarterly security updates.)
So on today’s out of band update, I wish a very happy birthday to consumable and predictable update schedules, and more protected customers in the intervening time.