So by now you know about the stop-gap effort by Microsoft to
There has been so much effort over the past year by all teams within Microsoft to have standards with Hotfixes and this one follows none. The registry logging isn’t even in traditional places to track if the Hotfix has been applied which is really lousy for SMS Administrators because now you have to do some manual modifications to your SMS_DEF.MOF if you want to track the deployment of this in your enterprise. Nope, you wont get this detected by the Software Updates features of 2.0 or 2K3 either as this is considered a “Critical” update and not a “Security” update so the MBSA won’t pick it up.
Ok, I’ll buy all that. I’m sure internal policy and process dictates what can or can’t be done. But why isn’t anything mentioned in the KB article about this for SMS Administrators? Shouldn’t there be something in the KB even to at least link to http://www.microsoft.com/technet/prodtechnol/sms/sms2003/patchupdate.mspx for Administrators who don’t know this information to follow?
Okay, I’ll bite…
Why modify the SMS_DEF.MOF file when the patch information is automatically gathered via Add/Remove Programs? I know it’s not as reliable as a security patch detected via MBSA, but for most companies I’ve worked with they are content with relying upon the Add/Remove Programs entry… especially since it’s very easy to query against.
I understand the different ways to inventory for an update in the registry (and ARP is unfortunately the only place this shows up other than the actual ActiveX Compatibility Keys it makes, it doesn’t show up under ..\WindowsNT\CurrentVersion\Hotfix either). The problem is that there is nothing about this in the KB article or the Download.Ject webpage (http://www.microsoft.com/security/incident/download_ject.mspx has a section specifically for Enterprise Customers) to give those that don’t know where to look information on where to look for reporting metrics back to SMS. Security bulletins contain information for SMS Administrators to deploy updates however this does not because its in the "Critical Update" category rather than "Security Update" category. In larger shops this isn’t a big deal as they have people that have the time to research this stuff, but there are tons of SMS shops out there that don’t have the same luxury. Also, ARP data is only included by default in SMS2K3 or if you selected to include it with the Web Reporting in 2.0 so we can’t just assume that all SMS shops inventory for this already.