THE OFFICIAL BLOG OF THE SBS "DIVA"

So Matthew says he's in charge of a 60 user CPA firm, on a non SBS, but fully 2003 sp1 network (okay knock one point off Matt for not running SBS.. but let's keep reading)... and he's evaluating WSUS and looking at Shavlik.  He says he's got Windows XP sp2 (mostly), some Windows 2000 (um.... Matt.. another penalty deduction there), and Office 2003 Pro (okay add one point back) and Adobe Acrobat 6.0. 

He's wanting to know if the differences between Shavlik and WSUS justify the price.

And he wants to know what hardware I run Shavlik on and how much space does the patches consume.

First off Matt...while have been a beta tester for WSUS 2.0, am beta testing SBS 2003 R2 with added goodness of WSUS... plan to augment my daily email notification with my daily dose/control thrill of that new daily green check in my mailbox... I'm probably still going....no I will keep Shalik around as my primary patch tool and I'll tell you why.

1. I'm a control freak.  I like the fact that when I need to get on those workstations fast and like NOW I can remote into my desktop, scan the network, patch, reboot the boxes, scan again, and I'm done.  With WSUS... you get what you pay for in that things are not push, they are pull.  Yeah there are ways to script things and what not.. but I'm not a scripter.
2. I'm an auditor by profession and I like a "trust but verify" routine that I can do.  Even now I'm checking was WSUS is doing by running Microsoft Update to double check.
3. Shavlik does more than Microsoft... and these days the folks are nailing a ton of other software with vulnerabilities.  And if you are still running with local administrator rights, and have third party software like Adobe and what not... you need to get those patches on the boxes as soon as you can.
4. I can control when I patch.  WSUS isn't as flexible as Shavlik... so like if because I don't see a risk level up there that I need to patch on Patch Tuesday, I can wait and patch on Friday night when the timing is better for my office. If I want to do the non essential desktops on Tuesday (patch night) either because of high risk, or the patches are no biggie, I can do machines in separate batches.
5. If I really want to get a control thrill, I can silently deploy patches right before 5 knowing that the gang will reboot.  Bottom line it's a lot more flexible, and I've built up my patch process, and my firms patching needs with this tool.  It fits my patching process.

And therein lies the key.  There's a lot of "process" in patching as much as there is a tool

As far as what kind of "Hardware" Shavlik resides on..that's the beauty of it... it doesn't have to be installed on the server at all.  At my office it's on my desktop because that's where "I" patch from. And the storage of patches is just whatever my network needs and my computer deploys the patches.  So I just have a slightly larger harddrive on my workstation... and I've upped the ISA 2004 tcp/ip connection per client limit on my workstation because I was indeed seeing some throttling going on while I was scanning.

In fact one of the first things I did in the SBS 2003 R2 beta was to build my own MMC and place the SBS patching console in it's own standalone console with a shortcut on the desktop.  I was so used to just going to Shavlik's patch icon on my desktop that it felt so weird to be launching the "Server Management" Console.

For Matt, he's got another problem... he only has access to the "original" WSUS interface and not the SBSized interface... and gang... whatever you think of the SBS R2 bits, the additional SBSizing of the WSUS console means that it's a ton more "blonder" and manageable of a console in my opinion.  The patches that I need to deal with are way more "in my face".  With WSUS ..the console they have has too much "stuff" going on... and I have to filter down so much to understand anything.  So while the decision between Shavlik and WSUS when you are running a SBS 2003 R2 box gets REALLY hard to make unless you are a patchaholic, control freak like I am that plans to have the two competing in my real network at the office, in a non SBSized WSUS... Shavlik is still hands down the easier and more agile patching tool.

Matt has a couple of advantages already....

1. He's gone borg on the servers and has them at Windows 2003 sp1
2. He's got the Office 2003 Pro platform which makes patching MUCH easier (you can use the local install source ...or Shavlik makes it real easy to browse to a location for a LIS)
3. He needs to get all those Windows 2000's up to Windows XP sp2 to be even better..but not bad...

So Matt?

To recap:

For Patching-a-holics like me... Shavlik versus SBS 2003's WSUS... I'm doing both..and will keep doing both.

For SBS 2003 ers.. the R2 WSUS with our daily email... it is really cool... the approval process is much easier.

For 'normal' Windows 2003 server... advantage is still with Shavlik here...if you want to have real flexibility in how you deploy patches... Shavlik is it...