For the 2nd time in 3 months, our IT Security Chief has this great idea about scanning all servers to ensure Admins have been installing all IT-required patches. I fully agree with the concept, no question here at all.

However, the results of 2 different IT scanning techniques have been disastrous. Twice now, I and other Admins have been "written up" for a list non-installed patches. In March, I finally rcvd a humble apology when I insisted they were wrong and the scanning method was flawed. I gave them a demo to show that many older "missing" patches just disappear from both A/R Programs and the registry, once some newer patches are installed. Not an entire SP, just certain newer patches.

Now they're at it again, with some new patch-scanning technique that doesn't work either. Again, I am given a long list of Win2K Server patches I KNOW are installed, but Security says are not.

First, I use MBSA (MS Baseline Security Analyzer, a free tool by MS I also use at home and on workstations) to ascertain what patches are installed. Not a perfect tool, but I think it works well for things like critical patches. MBSA shows my servers are clean. I trust it more than our network scans.

Second, I suspected some kind of "patch bundling" was occurring - that is, the A/R Programs and the registry were combining listings to reduce patch-clutter.

Sure enough, although I'm at Win2K/SP3 by IT edict, I found an SP4 key-category with bundles of files and versions of the patch files. There's even an SP5 listing. In SP4, for example there is Q323172, with a list of patch files/versions in the tree. That patch itself (Q323172) was for a specific reason, but now contains info on other assorted patches, including ones I'm supposedly missing. There are others like it, with trees of sub-patches, but only listed by exact file/version keys (no MS0X-0YY, no Q#, no KB#s, etc.), so that it takes a human a lot of work to figure out what patches are actually installed and what are not.

So this must be a form of "bundling" or "consolidating" the many patches, I think that's clear, and MBSA seems to read this fine, if slowly - but my IT Security people are looking for something faster and simpler to detect critical-patch installs on servers. I am in agreement, and becoming tired of being accused of patch non-installs. I might even get some brownie points for coming up with a reasonable solution :-)

Any ideas, or additions to my theorizing? What do other network Admins do for patch-checking, for example?