News

Affiliates

Navigation

Aggregation

Updating

I’ve looked at updating:

Microsoft Windows Server 2008 x64 Enterprise Edition, Full installation
Microsoft Windows Server 2008 x64 Enterprise Edition, Server Core
Microsoft Windows Server 2008 x64 Standard Edition, Full installation
Microsoft Windows Server 2008 x64 Standard Edition, Server Core
Microsoft Hyper-V Server 2008 (x64)

I used five identical Dell XPS 420 boxes to install Windows Server 2008 and Hyper-V Server 2008. I used the following media:

en_windows_server_2008_datacenter_enterprise_standard_x64_dvd_X14-26714.iso
ServerHyper_MUIx2-080912.iso

The only setting I changed during installation was the keyboard lay-out which I set to US-International.

On the full installations I used Windows Update to determine the required updates. On the Server Core installations I used cscript.exe WUA_SearchDownloadInstall.vbs to determine the updates. On Hyper-V Server 2008 I used HVConfig.cmd wizard.

I installed and checked for updates on Wednesday October 22, 2008.

I saw there were no differences between updating a Windows Server 2008 edition with or without Hyper-V (same updates apply) and no differences between updating an Enterprise and a Standard edition (same updates apply).

In the table below you'll find the updates by Knowledgebase Article number per installation:

Update	Description	Full	Server Core	Hyper-V Server
KB890830	Malicious Software Removal Tool	a	a	a
KB938464	Security Update	a	a	a
KB940518	Update for Server Manager (Optional)	a
KB947864	Cumulative Update (Internet Explorer 7)		a	a
KB948590	Security Update	a	a	a
KB949189	Update (Replication)	a	a
KB950050	Update for Hyper-V RTM	a	a
KB950582	Security Update	a	a	a
KB950762	Security Update	a
KB950974	Security Update	a	a	a
KB951066	Security Update (Windows Mail)	a
KB951072	Update (Daylight Saving Time)	a	a	a
KB951698	Security Update	a
KB951978	Update (Cscript/Wscript)	a	a	a
KB952287	Update (MDAC)	a	a	a
KB953631	Update (Last known Good Configuration)		a
KB953733	Security Update	a	a	a
KB953838	Cumulative Update (Internet Explorer 7)		a	a
KB954211	Security Update	a	a	a
KB954366	Update (App Comp)	a	a
KB955020	Update (dictionaries)	a
KB955302	Update (performance)	a	a	a
KB956390	Cumulative Update (Internet Explorer 7)	a
KB956391	Cumulative Update (Active X / IE 7)	a
KB956841	Security Update	a	a	a
KB957095	Security Update	a	a	a

Analyzing

Full installations of Windows Server 2008 required 22 updates and 1 optional update.
Server Core installations of Windows Server 2008 required 19 updates.
After installation Hyper-V Server 2008 required 15 updates.

At first glance these numbers don’t seem to represent Microsoft’s promise of 40% less updates.

When distinguishing between security updates and updates that improve the performance, stability and compatibility of Windows Server 2008 the following figure shows what Microsoft meant:

You can see clearly both Server Core and Full installations of Windows Server 2008 get the same performance, compatibility and stability updates. Since Hyper-V Server doesn’t contain the ‘usual’ Server roles, these apparently didn’t need to be patched. Server Core installations and Full installations of Windows Server 2008 required 8 updates. Hyper-V Server 2008 required a mere 4 updates.

When looking at the Security Updates however a huge difference becomes clear between Server Core installations and Hyper-V Server on one side and Full installations on the other side. Full installations require 13 security updates, where Server Core installations and Hyper-V Server require 10 security updates. (All installations including two cumulative security updates for Internet Explorer)

Concluding

Server Core installations require 23% less security updates, compared to Full installations of Windows Server 2008. (10 compared to 13)

This 23% difference might not result in less (managed) downtime for applying updates, since roughly the same updates apply. (2 differences)

Server Core installations and Hyper-V Server 2008 installations however are less vulnerable to unknown attacks, compared to Full installations of Windows Server 2008.

(Manually) Updating Server Core
(Automatically) Updating Server Core
About Microsoft Hyper-V Server 2008
Server Core patching benefits, as shown by Secunia

Comments

TrackBack said:

Sander Berkouwer: One of Server Core's touted benefits is it requires less security updates. Jeff Jones did some interesting research a little while ago in which he compared a theoretical Windows Server 2003 Server Core edition to a Windows Server 2003 installation in terms of security updates. In the accompanying blogpost he concluded:

[…] looking at the Windows Server Security Bulletins over the past two years, 40% of them would not have applied to a theoretical Server Core build. The results of the analysis are encouraging in terms of security progress.

Read the full report here.

In this post I'll look at the updates required for various flavors and derivates of Windows Server 2008 and the implications in terms of (planned) downtime between these flavors.

# October 22, 2008 10:58 PM

Kenneth said:

Hi Sander,

Interesting Article.

Are you sure that KB947864 is applied to Core and Hyper-V server only? I would say that this one only applies to Full since that's the only edition having IE7 installed. I also count 11 Security updates instead of 13 (what do you see as a security update?)

Normally you patch your servers once a month, after the updates come out monthly. Can i conclude that although server core has less patches, you still have to reserve managed downtime to apply patches that server core also needs?

So actually the number of patches isn't that important, but more the fact if you need to reboot your server core machine after applying a patch.

For example: MS will issue 2 security updates next month, only one of those 2 will apply to server core. But you still have to update server core as well because it needs the other update. Downtime for Full and Core will be the same at that point.

On the other hand, if only 1 security update is released for WS2008 and it only applies to the Full version, you don't have to plan downtime for your Core server.

I'm very curious to see how the patching of server core will look like in a year or so. Time will tell.

Regards,

Kenneth

# October 22, 2008 11:12 PM

Sander Berkouwer said:

Hi Kenneth,

Thanks for your reply!

Are you sure that KB947864 is applied to Core and Hyper-V server only? I would say that this one only applies to Full since that's the only edition having IE7 installed.

The Cumulative update for Internet Explorer 7 (KB974864) corresponding with MS08-24 applies to Server Core installations and Hyper-V Server 2008 installations only. For Full installations this update has been replaced with a newer version (KB956390), corresponding with MS08-50. This later update does not (yet?) apply to Server Core installations.

I also count 11 Security updates instead of 13 (what do you see as a security update?)

I counted everything described as a Security Update as a Security Update, as well as updates related to a security bulletin or security advisory. I've therefor placed the cumulative updates for Internet Explorer 7 and the cumulative update for Active X Killbits in the Security Updates category.

So actually the number of patches isn't that important, but more the fact if you need to reboot your server core machine after applying a patch.

My idea exactly! Idea

# October 22, 2008 11:31 PM

Anonymous comments are disabled

The things that are better left unspoken

News

Recent Posts

Related

Affiliates

Tags

Navigation

Aggregation

Top posts in the past

Archives

Analyzing the Server Core Updates Estimate