I’ve been a fan of Server Core since I heard about it and you can see by the 20+ posts I have on the product. Server Core has been out since Windows 2008 which is just under 40 months. Server Core R2 has been out for about 20 months. One of the selling points that Microsoft made on server core was that it would have a reduced attack surface and thus you would have fewer reboots due to patches. While preparing for a talk on Server Core I wanted to investigate this a bit more. I reached out for some help to Andrew Mason (if you don’t know that name you aren’t a Server Core hard core freak like me). Andrew runs the official Server Core blog over on TechNet. Andrew sent me some wonderful information on the subject that I’d like to share with you.
Take a look at these numbers. I’ll explain in more detail below.
We are comparing both Server Core 2008 and R2. The Reduction column is % reduced based off the hotfixes Microsoft released during their existing lifespan. Critical Only is just that, the reduction of patches Microsoft rated Critical for both versions of Server Core.
Now lets look at the rows starting with All applicable patches.
- All roles are all available roles for those versions of Server Core.
- Months without a reboot is really cool. It shows how many months went by with no reboots required on Server Core. Although it is not consecutive months it is still pretty impressive that Server Core R2 has not needed a reboot during half its existence!
- Next we see the reduction of patches with the basic OS installed an none of the major features and roles installed.
Now we see the area called Necessary patches only. What does that mean? That is referencing the patches that are really needed for Server Core. There are some vulnerabilities that show Server Core as vulnerable but its not exploitable. That is what is called out on the bottom of the graphic. Microsoft does this because it has changed the file and would probably prefer you to update the file eventually too. IMHO I’d patch these but would bundle them with the necessary patches.
I remember reading an article from David Cross on TechNet stating the following “In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis” These are the numbers that back up statements such as that.
Those are some pretty impressive numbers. Great job to the whole Server Core team. I really hope Microsoft continues with this product and from recent announcements on the next version of SQL it looks like they are sticking with it.
*Numbers updated through the May 2011 patch Tuesday