Steve Pruitt at myITforum.com

You’re only likely to run into errors in the patch definitions and deployment data if you have a fairly aggressive testing schedule. Any errors in the data released on Patch Tuesday are generally corrected within two days. After being the first to report ten such errors during the first half of 2006, I didn’t find any during the second half. It appears that Microsoft’s pre-release testing has improved significantly, but we still have to be aware of the possibility.

The first thing to do is update the scanners you use as required, late Tuesday evening, and run the scanners on at least a reasonable sample of computers using the expedited program to return results immediately. Wednesday morning you can review the Software Updates section of the console or look at patch status reports to see how many machines reported which updates were applicable. If there are any unexpected results, dig deeper to see if there are problems.

The next step in detecting any deployment data errors is in creating the update packages with the Distribute Software Updates Wizard. I’ve seen many instances where files gave a 404-Not Found error and couldn’t be downloaded by DSUW. The final step is running the updates, first on test machines and then in production, and monitoring for unexpected failures or other problems.

Some of the problems I’ve caught, and the resolution, were:

• Error in the download filename or path in the XML file, causing a 404-Not Found error
  If you are using SUSFP (the older MBSA, Extended MBSA and Office scanners) you can download the patch file from the MS Bulletin and copy it into the proper folder in the structure created by DSUW. You must open the properties of such patches in DSUW first – that’s when the proper folders are created. I haven’t determined if the bulletin files can be used with ITMU, but they appear to be identical.
   
• Partially updated scanner updates
  The files comprising the updates to a scanner were not all updated consistently. This caused the scanner to crash on all workstations.
   
• Errors in the version detection
  I found more than one instance where the scanner data was looking for an incorrect range of version numbers. In each case the scanner was looking for a narrower range of versions, leaving some reported as not applicable when the patch actually would apply successfully. This is only detected by seeing an expectedly low rate of applicable machines after scanning, or by comparing SMS results with an independent source such as BindView. They supposedly use the same engine, but I often found disagreements. If the scanner is looking for a wider range, you might get a number of failures.
   
• Surprises in the command line switches
  Microsoft has generally standardized the switches for different product updates over the past year or so. If you are re-running an older update for any reason, be aware that the command line switches may not be what you expect. In addition, I found that the executable files downloaded by DSUW was occasionally different from those available from the bulletin web page, and used different switches. The one case of that I ran into was an Internet Explorer update, and I learned later that this was common for IE at the time. Such errors show up as unexpected installation failures. When in doubt, run the executable file in a command window with the /? Switch. You must run this using an account with local admin rights, even just to check the switches.
   
• Corrupted downloads
  I had one instance of this, and Bill Gushue reported one in the mssms mailing list. The symptom in his case was DSUW warned that the publisher was unknown, do you really want to deploy this. Mine symptom was the same or very similar - I can't remember the exact details. The solution is simple - delete the downloaded file and force DSUW to download it again.

In general, always look at your scanner and deployment status reports watching for results that are not consistent with your expectations. For example, two patches that you expect to affect the same set of computers but give significantly different results. This is also how you’d discover updates for server products, such as Exchange, that apply to workstations because related tools are installed. Just today update MS07-039, which supposedly applies only to servers, was reported as applicable on Windows 2000 Professional machines. This type of suprise, and error in bulletin data, will never end.