Found Windows 2012r2 server needing lots of updates

[Karandras]

So, found this server for a company I'm doing some work for and it needs 212 updates. What is the best way to go about this. I'm assuming if I apply all the updates we are looking at probably a 4-6 hour window that the server will be down. This is an Exchange server and should most definitely get the most recent updates.

Is there a specific order that I should be applying updates in increments or should I just do the whole thing and let it run after 10pm or something like that?

Once this is done I'll get them on a weekly / bi-weekly update schedule but I need to get them caught up first.

Thanks.!

 

[Ruoh]

I'd just let it rip, and let them know the server will be down for extended maintenance. Make sure you can get to a console though!

 

[CrimsonKnight13]

Depends how powerful the server is. An old server may take longer than 6 hours. A newer one may take less than 4. SCCM SUP, WSUS or Windows Update will properly apply them in the order they need to go.

 

[bigdogchris]

So, found this server for a company I'm doing some work for and it needs 212 updates. What is the best way to go about this. I'm assuming if I apply all the updates we are looking at probably a 4-6 hour window that the server will be down. This is an Exchange server and should most definitely get the most recent updates.

Is there a specific order that I should be applying updates in increments or should I just do the whole thing and let it run after 10pm or something like that?

Once this is done I'll get them on a weekly / bi-weekly update schedule but I need to get them caught up first.

Thanks.!

The updates will download and install without taking down services, just during the reboot it will be "down" and I cannot see that taking more than an hour.

You can even spread it out by only doing security updates first, then maybe a week later do the remaining ones.

 

[Monkey God]

The updates will download and install without taking down services, just during the reboot it will be "down" and I cannot see that taking more than an hour.

Thats not always true. Some updates can impact WWW publishing services for example. You never patch a customer facing web/app server unless you can pull it out of a farm or have a designated maintenance window.

 

[Karandras]

Thanks peeps. I'll make sure the window is big enough in case it wants to take a huge amount of time. I see your idea of splitting the windows updates and security updates, is that a good idea?

 

[MrCaffeineX]

Thanks peeps. I'll make sure the window is big enough in case it wants to take a huge amount of time. I see your idea of splitting the windows updates and security updates, is that a good idea?

I got into the habit of doing this at one company where I worked because it was recommended to me as a best practice by the IT manager. While it may or may not have been true, I tend not to give non-security updates priority to this day.

In general, and especially when applying a significant number of updates at one time, I prefer to do it when no one will be using the server (i.e. off-hours, sending a notification of downtime for maintenance) because a hung update process can negatively affect many other services on the server.

 

[Ruoh]

You'll likely find that additional updates are needed after the first batch. Also, having it rescan for the updates might be in order, as there could be rollup patches that do the job of many smaller updates.

 

[JBark]

You'll likely find that additional updates are needed after the first batch. Also, having it rescan for the updates might be in order, as there could be rollup patches that do the job of many smaller updates.

Yeah, with that many missing updates, I wouldn't be surprised to find it takes a half dozen or more update cycles to actually get fully patched.

It's such a pain with that many, because you can hit the scenario where one failed update causes a rollback of every patch that succeeded on the next reboot, so you stuck waiting ages for things to revert.

This page might be worth looking at, has the list of all the rollups that have been released:
https://blogs.technet.microsoft.com...-server-2012-r2-windows-8-8-1-update-rollups/

Manually installing these two updates first,
https://support.microsoft.com/en-us/kb/2919442
https://support.microsoft.com/en-us/kb/2919355
would probably be a good start. That will get you the first big cumulative rollup for 2012 R2.

I can't remember for sure, but might want to check and make sure Exchange updates aren't coming through Windows Update as well. I don't pull them through WSUS, so I'm not sure if they show up or not normally. Good idea to uncheck those until you're all done with the OS patches.