Patch Tuesday for VMware, sounds kind of silly doesn't it? At least it did to us prior to doing some research on the patches coming out of VMware for ESX Server. This all started a few days ago when we started looking at a network issue some VMs were having. We then (after sorting through the available downloads/patches, and talking to support) found there was a patch for this issue.
Nice. Great. Why wasn't this installed? Too many patches? Admins don't think they need them?
Whatever the reason it is starting to become a trend in some ESX environments; not all patches are installed by the admins. The reason for this is pretty simple; we already have patch Tuesday for Microsoft Servers we are dealing with, patches for applications that app owners install, SQL, Exchange, etc patches and of course desktops patching. Sorting through ESX patches is often a secondary job for Windows administrators tasked with maintain ESX, and if ESX is working, patching it, falls to the bottom of the pile. I mean this is VMware's ESX server! The product that we used to tell people didn't need patching that often since there wasn't much code to have to patch. But recently we have started to notice a change, and have had to stop telling people that patches for ESX were few and far between.
To be rational about our assertion we started by looking at the available data on patches for ESX. We couldn't get data all the way back to ESX 1.5 since VMware's site has been revamped several times and those patches are not available, and quite honestly who saves patches all the way back to 2003/4 anyway. But, what we found in the data was pretty telling. The first item we noticed was sheer number of patches for ESX 3.0.1: 68! Sixty-Eight patches in the course of about a year. Of course they were released in about 11 groups, at an average of about 7 patches per release date (per the VMware website).
VMware, ESX Server, Security, Patch, Virtualization, Virtual Server, Microsoft