One of Server Core's touted benefits is it requires less security updates. Jeff Jones did some interesting research a little while ago in which he compared a theoretical Windows Server 2003 Server Core edition to a Windows Server 2003 installation in terms of security updates. In the accompanying blogpost he concluded:
[…] looking at the Windows Server Security Bulletins over the past two years, 40% of them would not have applied to a theoretical Server Core build. The results of the analysis are encouraging in terms of security progress.
Read the full report here.
In this post I'll look at the updates required for various flavors and derivates of Windows Server 2008 and the implications in terms of (planned) downtime between these flavors.
Note:
This blogpost is not intented to fully research the difference in the total amount of updates between a Server Core installation and a Full installation of Windows Server 2008. It merely provides a comparison based on a random moment in time as reference material. It does not take refreshed updates into account.
Updating
I’ve looked at updating:
- Microsoft Windows Server 2008 x64 Enterprise Edition, Full installation
- Microsoft Windows Server 2008 x64 Enterprise Edition, Server Core
- Microsoft Windows Server 2008 x64 Standard Edition, Full installation
- Microsoft Windows Server 2008 x64 Standard Edition, Server Core
- Microsoft Hyper-V Server 2008 (x64)
I used five identical Dell XPS 420 boxes to install Windows Server 2008 and Hyper-V Server 2008. I used the following media:
- en_windows_server_2008_datacenter_enterprise_standard_x64_dvd_X14-26714.iso
- ServerHyper_MUIx2-080912.iso
The only setting I changed during installation was the keyboard lay-out which I set to US-International.
On the full installations I used Windows Update to determine the required updates. On the Server Core installations I used cscript.exe WUA_SearchDownloadInstall.vbs to determine the updates. On Hyper-V Server 2008 I used HVConfig.cmd wizard.
I installed and checked for updates on Wednesday October 22, 2008.
I saw there were no differences between updating a Windows Server 2008 edition with or without Hyper-V (same updates apply) and no differences between updating an Enterprise and a Standard edition (same updates apply).
In the table below you'll find the updates by Knowledgebase Article number per installation:
| Update | Description |
Full |
Server Core |
Hyper-V Server |
| KB890830 | Malicious Software Removal Tool |
a |
a |
a |
| KB938464 | Security Update |
a |
a |
a |
| KB940518 | Update for Server Manager (Optional) |
a |
||
| KB947864 | Cumulative Update (Internet Explorer 7) |
a |
a |
|
| KB948590 | Security Update |
a |
a |
a |
| KB949189 | Update (Replication) |
a |
a |
|
| KB950050 | Update for Hyper-V RTM |
a |
a |
|
| KB950582 | Security Update |
a |
a |
a |
| KB950762 | Security Update |
a |
||
| KB950974 | Security Update |
a |
a |
a |
| KB951066 | Security Update (Windows Mail) |
a |
||
| KB951072 | Update (Daylight Saving Time) |
a |
a |
a |
| KB951698 | Security Update |
a |
||
| KB951978 | Update (Cscript/Wscript) |
a |
a |
a |
| KB952287 | Update (MDAC) |
a |
a |
a |
| KB953631 | Update (Last known Good Configuration) |
a |
||
| KB953733 | Security Update |
a |
a |
a |
| KB953838 | Cumulative Update (Internet Explorer 7) |
a |
a |
|
| KB954211 | Security Update |
a |
a |
a |
| KB954366 | Update (App Comp) |
a |
a |
|
| KB955020 | Update (dictionaries) |
a |
||
| KB955302 | Update (performance) |
a |
a |
a |
| KB956390 | Cumulative Update (Internet Explorer 7) |
a |
||
| KB956391 | Cumulative Update (Active X / IE 7) |
a |
||
| KB956841 | Security Update |
a |
a |
a |
| KB957095 | Security Update |
a |
a |
a |
Analyzing
Full installations of Windows Server 2008 required 22 updates and 1 optional update.
Server Core installations of Windows Server 2008 required 19 updates.
After installation Hyper-V Server 2008 required 15 updates.
At first glance these numbers don’t seem to represent Microsoft’s promise of 40% less updates.
When distinguishing between security updates and updates that improve the performance, stability and compatibility of Windows Server 2008 the following figure shows what Microsoft meant:
You can see clearly both Server Core and Full installations of Windows Server 2008 get the same performance, compatibility and stability updates. Since Hyper-V Server doesn’t contain the ‘usual’ Server roles, these apparently didn’t need to be patched. Server Core installations and Full installations of Windows Server 2008 required 8 updates. Hyper-V Server 2008 required a mere 4 updates.
When looking at the Security Updates however a huge difference becomes clear between Server Core installations and Hyper-V Server on one side and Full installations on the other side. Full installations require 13 security updates, where Server Core installations and Hyper-V Server require 10 security updates. (All installations including two cumulative security updates for Internet Explorer)
Concluding
Server Core installations require 23% less security updates, compared to Full installations of Windows Server 2008. (10 compared to 13)
This 23% difference might not result in less (managed) downtime for applying updates, since roughly the same updates apply. (2 differences)
Server Core installations and Hyper-V Server 2008 installations however are less vulnerable to unknown attacks, compared to Full installations of Windows Server 2008.
Related posts
(Manually) Updating Server Core
(Automatically) Updating Server Core
About Microsoft Hyper-V Server 2008
Server Core patching benefits, as shown by Secunia
Further reading
Hyper-v Server , what is it exactly ?
Download: Server Core Potential Security Benefit
This is why we asked so much for Server Core
More on Server Core Patches
VIR367: Hyper-V Security and Best Practices
Hyper-V Server is Finally Here – But What Exactly Is It?
Patching Server Core in production
First Look at Windows Server 2008 Server Core
Server Core Install vs. Full Install – Let’s Get Ready to Rumble!
InformIT – Windows Server Core Overview
RedmondMag – Server Core: Windows Without Windows
Hi Sander,
Interesting Article.
Are you sure that KB947864 is applied to Core and Hyper-V server only? I would say that this one only applies to Full since that's the only edition having IE7 installed. I also count 11 Security updates instead of 13 (what do you see as a security update?)
Normally you patch your servers once a month, after the updates come out monthly. Can i conclude that although server core has less patches, you still have to reserve managed downtime to apply patches that server core also needs?
So actually the number of patches isn't that important, but more the fact if you need to reboot your server core machine after applying a patch.
For example: MS will issue 2 security updates next month, only one of those 2 will apply to server core. But you still have to update server core as well because it needs the other update. Downtime for Full and Core will be the same at that point.
On the other hand, if only 1 security update is released for WS2008 and it only applies to the Full version, you don't have to plan downtime for your Core server.
I'm very curious to see how the patching of server core will look like in a year or so. Time will tell.
Regards,
Kenneth
Hi Kenneth,
Thanks for your reply!
The Cumulative update for Internet Explorer 7 (KB974864) corresponding with MS08-24 applies to Server Core installations and Hyper-V Server 2008 installations only. For Full installations this update has been replaced with a newer version (KB956390), corresponding with MS08-50. This later update does not (yet?) apply to Server Core installations.
I counted everything described as a Security Update as a Security Update, as well as updates related to a security bulletin or security advisory. I've therefor placed the cumulative updates for Internet Explorer 7 and the cumulative update for Active X Killbits in the Security Updates category.
My idea exactly!