Network administrators are frequently ambivalent about service packs. On one hand, service packs usually improve network reliability and security. On the other hand, deploying service packs is an "event" that consumes time and resources. So most administrators postpone deployment as long as possible, typically waiting until one or more of the following conditions is met:
At the very least, wait to deploy a new service pack until enough time has elapsed for any complications to come to light. You might also want to perform a limited rollout of the service pack as a test deployment before deploying it to the entire network.
When it comes time to deploy a service pack, you have several options:
The following sections cover the first two methods.
You can also use SMS to deploy service packs. This process is discussed in service pack deployment guides available from Microsoft's Web site.
The new Corporate Windows Update tool provides a way for administrators to host their own Windows Updates servers, control which updates are available to users, and even automatically deploy them. For more information, see http://corporate.windowsupdate.microsoft.com.
Real World
Service Packs in Windows NT
Windows NT does not handle service packs optimally. To change or install an operating system feature that requires files from the original Windows NT installation CD, you'll then have to reinstall the most recent service pack and any post-service pack hot fixes (such as the Windows NT 4 post-Service Pack 6a security rollup).
Activities that require a service pack reinstall include the following:
In Windows XP and Windows 2000, once you apply a service pack, there is no need to reapply it, in most cases. You'll still need to reapply a service pack if you perform an emergency repair, unless you installed Windows from a network share or media that is integrated with the service pack, as described later in this chapter.
The simplest way to install a Windows service pack is to use Windows Update to download and install the service pack (you probably don't need help with this).
You can also download service packs to a network share so that users or administrators can install from the network share. If you decide to use this approach, consider using command-line switches to exert additional control over the update process. The switches discussed in Table 25-4 work for Windows 2000 service packs and should work on Windows XP service packs as well (if you have trouble, consult the service pack documentation on Microsoft's Web site).
Table 25-4. Service pack command-line switches
Command-Line Switch | Action |
---|---|
-u | Runs the service pack update in unattended mode |
-f | Forces any open applications to close after applying the service pack before restarting the computer |
-n | Disables the backing up of files, eliminating the ability to uninstall the service pack |
-o | Overwrites OEM setup files without prompting |
-z | Disables the automatic restarting of the computer after the completion of setup |
-q | Runs the service pack in quiet mode with no user interaction required |
-s:[folder name] | Applies the service pack to a Windows install point so that future installations have the service pack preapplied |
One efficient way of deploying service packs is to use the Software Installation and Maintenance feature of Group Policy. There are two ways of doing this. You can assign a service pack to computers so that the service pack is automatically installed at the next reboot, or you can publish the service pack so that users can optionally install it using Add/Remove Programs.
To deploy a service pack using Group Policy, use the following procedure:
You will see the Deploy Software dialog box only if you selected the Display The Deploy Software Dialog Box option in the Software Installation Properties dialog box, as described in the section entitled Setting Software Installation Options earlier in this chapter.
You can also use Group Policy to deploy security patches and hot fixes, although doing so requires repackaging the patches using WinInstall LE. See Microsoft Knowledge Base Article Q314273 for more information.
Microsoft provides a graphic tool and three command-line tools to verify the existence of service packs, security patches, and hot fixes. These tools—Microsoft Baseline Security Analyzer, Hfnetchk.exe, Qfecheck.exe, and Spcheck.exe—are described in the following sections.
The Microsoft Baseline Security Analyzer is a powerful tool that can check the security settings of multiple computers. As such, it's the first tool to use when verifying the security status of computers on your network.
To use the Microsoft Baseline Security Analyzer, use the following steps:
Hfnetchck.exe is a command-line tool to query either a local computer or a computer on the network and determine what hot fixes or security patches each computer is missing. The tool connects to the Internet and downloads the latest list of patches and compares this list to the patches installed on the specified computer.
To install Hfnetchk.exe, download it as described in Microsoft Knowledge Base Article Q303215.
To run Hfnetchk.exe, open a command prompt window, navigate to the folder to which you installed Hfnetchk.exe and then type hfnetchk.exe followed by any desired parameters. A few parameters are described in Table 25-5; for a full listing, type hfnetchk -?.
Table 25-5. A partial listing of Hfnetchk.exe parameters
Parameter | Function |
---|---|
-v | Specifies verbose output, which provides extra detail. |
-h | Specifies the NetBIOS host name of the computer to scan. |
-i | Specifies the IP address of the host to scan. |
-d | Specifies the domain to scan. All computers in the domain will be scanned. |
-b | Performs a baseline security scan, which leaves out noncrucial hot fixes. |
-f | Specifies that the output should be saved to the specified text file. |
To scan network computers, the computers must have NetBIOS Over TCP/IP enabled and the Server service and the Remote Registry service must be running.
The Qfecheck.exe program allows you to scan the local computer for installed hot fixes. To install Qfecheck.exe, download it as described in Microsoft Knowledge Base Article Q2782784.
Once installed (the program installs like a hot fix), the command is available from any command prompt window; simply type qfecheck.exe along with the appropriate parameter (type qfecheck /? for a complete listing of parameters).
The Spcheck.exe tool scans the local computer and reports the service pack level of key system files. To install Qfecheck.exe, download it as described in Microsoft Knowledge Base Article Q279631. Once installed, run Spcheck.exe from the folder in which you installed the program. This creates a report file (in the same folder) that you can open and read in Notepad or another text editor.