delayed Reboots after security patch application

[chris.kernaghan]

Hi,

I am currently working in an environment which doe snot have set
downtime windows. It makes patching quite difficult to schedule as a
result.

I would be interested to know if anyone has had successes or issues
with applying patches which require a reboot in the middle of the week,
and then simply rebooting the servers at the weekend.

We are running Oracle databases, and my only concern is that we apply
the patch and by not rebooting we have one version of a file running in
memory and another version present on disk. If anything were to happen
the system might get itself confused.

Has anyone got any advice on this.

TIA

Chris aka BoobBoo

 

[karl levinson, mvp]

Hi,

I am currently working in an environment which doe snot have set
downtime windows. It makes patching quite difficult to schedule as a
result.

I would be interested to know if anyone has had successes or issues
with applying patches which require a reboot in the middle of the week,
and then simply rebooting the servers at the weekend.

We are running Oracle databases, and my only concern is that we apply
the patch and by not rebooting we have one version of a file running in
memory and another version present on disk. If anything were to happen
the system might get itself confused.

Yes, that's my concern as well. I don't see any advantage to installing the
patch in the middle of the week. Microsoft advises against running machines
in a half patched state, as they believe that increases your chance of
software problems down the line. I've never observed that myself, but it
sounds possible.

Environments that can't tolerate any downtime should use server clustering
so that servers can be patched and rebooted one by one without the
application experiencing downtime. If you don't do that, you're going to
have downtime.

 

[chris.kernaghan]

Karl,

I know what you mean about using clustered environments, but the
customer has these.

But in accordance with Murphy's law and Mission Critical systems, you
fail the cluster over and something happens. Because we are in a
compliant environment, any issues have to be investigated. So we tend
to not fail over the clusters, only in periods of extremely low
utilisation to minimise effects of any issues.

Chris

 

[Roger Abell [MVP]]

I do not currently recall (have link) for an interesting discussion read
once
in some MS paper . . . to effect that deferred reboot is not advised
because
post patching the system is in an intermediate and, IIRC its word correctly
it said, "potentially unstable state".
If you window for cycling the systems is on the weekend that probably
should be when the patches are applied, with use of "workarounds" if
needed due to risks/exposures until that windows come around.