Take a look at these numbers. I’ll explain in more detail below.
We are comparing both Server Core 2008 and R2. The Reduction column is % reduced based off the hotfixes Microsoft released during their existing lifespan. Critical Only is just that, the reduction of patches Microsoft rated Critical for both versions of Server Core.
Now lets look at the rows starting with All applicable patches.
- All roles are all available roles for those versions of Server Core.
- Months without a reboot is really cool. It shows how many months went by with no reboots required on Server Core. Although it is not consecutive months it is still pretty impressive that Server Core R2 has not needed a reboot during half its existence!
- Next we see the reduction of patches with the basic OS installed an none of the major features and roles installed.
Now we see the area called Necessary patches only. What does that mean? That is referencing the patches that are really needed for Server Core. There are some vulnerabilities that show Server Core as vulnerable but its not exploitable. That is what is called out on the bottom of the graphic. Microsoft does this because it has changed the file and would probably prefer you to update the file eventually too. IMHO I’d patch these but would bundle them with the necessary patches.
I remember reading an article from David Cross on TechNet stating the following “In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis” These are the numbers that back up statements such as that.
Those are some pretty impressive numbers. Great job to the whole Server Core team. I really hope Microsoft continues with this product and from recent announcements on the next version of SQL it looks like they are sticking with it.
*Numbers updated through the May 2011 patch Tuesday