So, who forces Microsoft to stick to (so called) patch Tuesdays? No one, actually - it's Microsoft internal schedule, and clearly there are cases when it's absolutely unreasonable - e.g. when there's a 0day in the wild. So there has to be a way to fast track a fix - if there's not, there's something seriously wrong IMNSHO. Apparently, they thought Google won't stick to the 90-day limit.
Why do all these customers need to be on Microsoft's schedule though? Microsoft should release the patches and give each IT team their own ability to assess patches at their own speed.
If some companies want to wait 2 days then let them make their own choice. It seems like a pretty stupid policy that nothing (except extreme cases) should get patched except when it's convenient.
> Microsoft should release the patches and give each IT team their own ability to assess patches at their own speed.
They already do via WSUS. Companies get to plan this work to start on the second Tuesday of every month because that's the day Microsoft publishes them. Nobody puts a gun to company's heads and forces them to deploy internally.
> If some companies want to wait 2 days then let them make their own choice. It seems like a pretty stupid policy that nothing (except extreme cases) should get patched except when it's convenient.
This seems to be a complaint about a "policy" which doesn't exist and has no relationship to the topic at hand. I don't even really entirely understand the above.
I don't really see how that matters. This only shows how utterly broken the concept of "patch Tuesdays" is ...
If you plan your internal deployment updates based on the belief that the schedule will never change, then I'm really sorry for you and your users. In real world, not all issues are reported in advance - some are observed in the wild, and in that case you have to fast-track the fix. If you have no way to do that (e.g. because the vendor only releases fixes on Tuesdays once per month, or because you decided to choose such schedule on your own), then good luck. That might have been appropriate in 1995, not in 2015.
There are many projects and/or companies publishing fixes continuously, and leaving it up to the users when/how to apply them in production. That's essentially what all the linux distributions (RH, Suse, ...) and smaller projects do.
Not entirely true now. Users of MS software have built up their own testing processes around patch Tuesday.
Patch Tuesday was one of the best things MS did when they decided to take security seriously. They realized that testing patches downstream takes time and giving their customers a consistent patch day let them also plan ahead.
