In July there was a patch that came out that impacted SBS boxes. But the problem was that we didn't realize it immediately. Because the symptoms of the "hurt" of the patch was very random and because most of the time the side effect was that we couldn't remote back into the servers we thought it was the normal byproduct of the server getting stuck sometimes. But then the errors in the event log just wasn't matching up. And the fact that the Ipsec service not running wasn't like past reboot issues. So those that were impacted go in touch with Support and finally the underlying issue was identified and the issue repro'd. As a result a blog post came out. http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx
Some folks in the newsgroup said that ... well let me quote a comment...
"I flagged this up a few weeks ago saying, basically, that this was a serious issue that we should be shouting from the rooftops about, because it will mean site visits to fix. But it was brushed under the carpet to some extent saying "read the blog and you'll be all right".
MS should have fixed this on the next update cycle at least, and all the SBS MVPs should have been screaming to the community that this issue needed addressing immediatley.
This is the biggest SBS fubar I've ever witnessed. "
Before I quote Cliff's really good rebuttal to this post, let me just say a few comments. And this isn't to blow this off, or to diminish the pain that this patch makes.
1. When it comes to Servers and a network, I truly don't think you can be a Passive DIYer and handle patching these days. There are too many interactions and possible issues. People always ask me in WindowsSecrets.com if a certain Serivce pack is 'ready' and they won't have any issues. Unfortunately it doesn't work that way. Patches work most of the time. But then there are those times that they have issues. There is no 100 percent guarantee in life. The best you can do is understand which patches will come off, which ones you can use mitigation techniques to get around, and which ones you can live with. But the idea that Microsoft can somehow deploy perfection to the gazillions of Microsoft users... Folks even Apple screws up their patching.
2. The second and follow up idea that now that the issue has been identified that Microsoft can whip out a new patch, get it tested, and cleared for release in about two weeks (given that it took us some time to figure out the issue in the first place), keep dreaming folks, they can't test anything that fast.
3. The idea that this is the 'biggest SBS Fubar ever', trust me I seen bigger. Windows 2003 sp2 comes to mind. SharePoint DLL expiration, and how about.... okay we've rubbed our noses in fubars enough. And this one is fixable.
4. Screaming is for children. You can get your point across much better if you comunicate, not scream.
Patching isn't easy, but I think we need to get over this idea that Patches are perfect and that they aren't an item of risk. But the are an item of MANAGABLE risk. And one of the ways that you manage that risk is to read http://blogs.technet.com/sbs religiously.
Read Cliff's response. I think he's made some excellent points..
"Eh, I recall your post....and it wasn't brushed under the rug. It was a matter of timing. Patches take *TIME* to test, and yes, this got botched. But releasing another fix "in the next cycle" is not practical either. The fix for the fix needs to be thoroughly tested to make sure *it* doesn't go and break other things, corrupt the registry, undo other registry changes that other products might make, etc etc. If you manually go to that key, you can see what other data is there and, if need be, google for info. But a patch needs to be AUTOMATED. That takes more than a little bit of testing. I'd be more pissed if MS released a patch that started breaking third-party products. Let them test it and get it done RIGHT.
With that said, MS couldn't exactly hold up on the DNS issue either. Yes, it was, as I said earlier, a screw up to not test it more thoroughly on SBS specifically. But as I said in your previous complaint post, the risk of leaving the DNS issue unpatched was that all other vendors were going public so hackers could see what THEY fixed. That virtually gauranteed that exploit code would surface in very short order...which is exactly what happened! So MS *needed* to get this patched and get it patched PRONTO. Dealing with some (relatively minor) issues after the fact is far more acceptable.
And any SBS admin should be monitoring the blog. Just like an admin should subscribe to at least one security RSS feed to know when new threats surface and monitor their server and firewall logs regularly for problems, and check their backups regularly. Running a server, even one like SBS, requires *some* responsibility and due diligence on the server owner. I don't leave MS blameless on this, but I did, do, and will continue to disagree with your assessment of how they've handled correcting their mistake. They've done what they can in a reasonable fashion.