Frequently Asked Questions: SMS Software Update Services Feature Pack

SMS 2003 SP1 is a culmination of a variety of hotfixes and other fixes requested by customers who have evaluated and deployed SMS 2003. The primary focus for SMS 2003 SP1 is to further enhance the security, usability, and performance of SMS 2003 while broadening the supported configurations. For more information about SMS 2003 SP1, see the SMS 2003 SP1 Product Overview page.

To learn the proper sequence to install the tools, where they should be installed, how they are packaged, and what the systems requirements are, refer to the Installing the Software Update Services Feature Pack Tools.

Below is a sample setup error in the AddWebRepInstallSQL.log file:

Msg 207, Level 16, State 3, Server SGSCT01, Procedure usp_SMSR538, Line 4 [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid column name 'TimeAuthorized0'.

And this is a sample error you may see when running a specific report, or when running all reports for software updates results in errors:

There was an error in the SQL Statement. The following error was returned: Invalid object name 'v_GS_PATCHSTATE'. [-2147217865]

Both of the above issues have the same cause–the Web Reports Add-in for Software Updates was installed before the inventory of patches was collected. Microsoft SQL Server™ requires that all objects be present before stored procedure can be defined. To solve this issue, please refer to "Setup Does Not Extend Database Schema" in the Security Update Inventory Tool release notes.

Empty your Internet Explorer client cache and the reports should begin to show up. To do this:

When installing the catalog, during Security Update Inventory Tool installation, Setup will ask for the name of a computer that will host the Sync tool (weekly download of the patch catalog and scan tools). Enter the name of a computer that has Internet access (Note: This computer does not need to be a site server, but does need to be an SMS client).

Alternatively, you can run the Sync tool manually (or by means of a batch file that can automatically be run on a schedule) on the Internet-connected machine.

The following is an example of running the Sync tool manually.

SyncXml.exe /s /site servername /code sitecode /target \\servername\securityfolder /package packageID.
Where sitecode is your site code, servername is your SMS server, or a computer hosting the Security Scan files used for distribution points, and packageID is your SMS Package ID for the Security Scan program that clients run. For example:
SyncXml.exe /s /site myserver /code CEN /target \\Myserver\Security /package CEN00002.

To install patches, you will need to manually download patches using the Internet-connected computer and copy them into the Patch Package Source folders.

The Sync tools in the Microsoft Office Inventory Tool for Updates and the Distribute Software Updates Wizard need Internet access to download catalogs or patches. These tools are not designed to ask for credentials when establishing a new browser session. They are, however, designed such that they do not create a new session, but can reuse an existing session. Thus, if you start a browser session, authenticate through the firewall and leave that session running. These tools will then reuse that authenticated session and work without issues. (Note: Some firewalls will allow you to set up a rule to forego authentication for a specific IP address.)

There are certain latencies before a patch will show up in the approval list of the Wizard:

Further, there is always a chance the new patch is not really applicable for any of your computers, or that it is applicable to computers that are not being scanned.

You can manually download the catalog and update the MSSecure.xml file in the Security Update Inventory Tool Package Source folder with the new version. Remember to refresh the distribution points after updating the Package Source folder.

Though scheduling a daily scan cycle could be one way, you need to be aware of network and system performance issues and verify they are acceptable before changing the default scan cycle. You can also advertise the "expedited" version of the scan tool program. To do this, from the inventory scan tool package, select the program that has the word expedited in its name. Note that using the expedited program will cause a full hardware inventory cycle and may cause serious network and performance issues. This method is recommended for a small collection of reference machines only. Additionally, please refer to the Distribute Software Updates Wizard release notes for the description of the Software Update Installation Agent command-line option /x as using this command-line option for your reference collection can be a very efficient and quick way to populate the patch inventory.

Microsoft releases security patches on a monthly schedule. The security catalog mssecure.xml is updated at the same time security bulletins are released. Microsoft will make an exception to the monthly release schedule if we determine that customers are at immediate risk from viruses, worms, attacks, or other malicious activities. In such situations, Microsoft can release security patches as soon as possible to help protect customers.

For more information about the release schedule, see Revamping the Security Bulletin Release Process on Microsoft TechNet.

You can sign up for the free Microsoft Security Notification Service at the Microsoft Profile Center.

You can view the latest MSSecure.xml file on the Microsoft TechNet Web site. The header in this file contains the release date and version number. To confirm you have the latest version, compare the header in the MSSecure.xml file to the header in the file you are currently distributing.

Yes. You need at least one client to report a patch as missing before you can deploy it. Refer to the Distribute Software Updates Wizard release notes for the description of the Software Updates Installation Agent command-line option /x as this option enables reporting of every applicable patch as "missing" (even if it is installed on your test computer), which is a quick way to populate the inventory.

The Distribute Software Updates Wizard is inventory-data driven. Your system needs to have at least one patch in the SMS inventory for that update type, such as an Office or security patch. To check if your inventory has at least one patch, launch Resource Explorer on the computer where inventory advertisement was run and check under the Hardware node for the Software Updates property. Remember there is always a time lag between an inventory cycle on a client computer and the inventory date being written to the site server database and this can be hours to days depending on the inventory cycle set for your site server.

Ensure that the specific client meets all these requirements:

Patch packages must uniquely correspond to a specific scan tool and you cannot have a package that contains patches reported by different scan tools. This means that, at a minimum, you need to create one package for patches reported by the Security Update Inventory Tool and another package for patches reported by the Microsoft Office Inventory Tool for Updates. However, within a package for a specific scan tool, you can include patches for different operating systems or products. For example, a patch package for Security Updates can contain patches for Microsoft Internet Explorer (for different Internet Explorer versions and different operating systems) and Windows Media® Player (for different Media Player versions and different operating systems). The Software Update Installation Agent will detect and apply the correct patch binary for each client. It may be desirable to organize patch packages on a per-operating system or per-product basis, but this is not technically required (beyond the separation by the scan tool).

The Distribute Software Updates Wizard will list each specific patch binary for the same issue for authorization. You should approve all of them and can include them in the same package. The Software Update Installation Agent will detect and apply the correct patch binary for each client.

Yes. When the Distribute Software Updates Wizard creates patch packages/programs, it does not set the Run property when a user is logged in by default. This means patches can be installed even when users are not logged in. If needed, you can do a completely unobtrusive and unattended patch installation by scheduling it at night when all user interfaces are turned off. Then, when users log in the next morning, they have a patched system ready to go.

For urgent patches which must become active even if users have unsaved changes in open documents, you must:

Refer to the table below for feature pack log files. Note that feature pack tools use the standard software distribution feature of SMS which means the standard log files and status messages for the software distribution feature of SMS are also helpful when troubleshooting.

Yes. In the PatchAuthorize.xml file in the Patch Package Source folder, you can search for a particular patch by its Microsoft Knowledge Base article number or title. This file contains information on all patches that have been authorized and includes other pertinent details, such as command-line options, that will be used for patch installation.

For specific application patch or hotfix installer command-line syntax, refer to the Microsoft Knowledge Base articles below.

Because the scan technology (called MBSA) and catalog file, Mssecure.xml, used by the SMS Software Update Services (SUS) Feature Pack and the Windows Update/SUS 1.0 are not the same, there are inconsistencies. In general, Windows Update has more updates in its catalog than are contained in Mssecure.xml, which is limited to critical security updates. Conversely, Mssecure.xml includes patches for Windows NT® 4.0 and some older versions of Internet Explorer that are not included in Windows Update.

For more information about products that are detected by MBSA and specific patches that are not detected, see Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates in the Microsoft Knowledge Base.

The security patch catalog file, Mssecure.xml, includes all security patches released by Microsoft. SMS uses the MBSA tool to detect patches. MBSA has certain limitations that cause specific products or patches to be not detected even though they may be listed in the catalog.

For more information about products that are detected by MBSA and specific patches that are not detected, see Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates in the Microsoft Knowledge Base.

At this time, the software update catalog is only available in English and Japanese. Automatic downloads may occasionally fail for English and Japanese as well. The following steps provide a recommended workaround solution:

This topic is further documented in the SMS 2003 Operations Release Notes.