In the October 13 edition of the Security UPDATE newsletter, I wrote a stiff editorial expressing my concern over the locations Microsoft uses for the various patches it releases. I wondered aloud if anyone at Microsoft would read that editorial and take action and, as it turns out, someone at Microsoft did read it and respond quickly.

I recently received a detailed message from Scott Culp, Security Product Manager for Microsoft. Scott was kind enough to clear the air for me about patch locations. In the past, most of Microsoft's patches have appeared on its FTP server. However, some patches only appear at the respective product's Web sites. For instance, Office-related patches don't show up on the FTP site, but BackOffice-related patches do show up on the FTP site.

In an effort to consolidate these locations and provide easier access to the relevant material, Microsoft now uses two Web sites: the WindowsUpdate site and the Windows Download Center site. The WindowsUpdate Web site uses automated detection to determine which patches, upgrades, or add-ons your particular computer might need. Users must access the site using a browser that lets Active Scripting (namely JavaScript) run on the desktop. The site also requires that the user install an ActiveX control that facilitates the download and installation of any patches. I tested this Web site and found that it works fine, as long as you only need to patch a few computers. If you must patch numerous systems, using this Web site would take an eternity because every system must connect to the site to determine what patches that system needs.

In situations where you must patch many machines, the Windows Download Center is a much better choice. The Windows Download Center performs no automated detection on a user's computer. Instead, the site lets the user select a product name, an OS, and a sort order. The site then displays all available patches for that product and platform. Although the site forces you to use ActiveX Controls (server-side Active Server Pages—ASP—code would work as well), I found that the site is easy to use and works well in locating necessary patches and updates.

Scott also told me about publishing policies regarding mission-critical patches. Because updating content on these Web sites requires some amount of production time, the sites might not always be the best choice for making patches available to the public in a timely fashion. When timeliness is paramount (such as with a security patch), Microsoft will post the fixes to its FTP site for immediate access while it updates its download Web sites.

The way to determine the location of a critical fix is to read the associated Microsoft security bulletin, which always contains details regarding patch availability. In cases where Microsoft publishes its patches to an FTP site first, the company will quickly integrate the patches into the WindowsUpdate and Windows Download Center Web sites for a single point of access to all patches. Keep in mind that both of these sites are under development, and not yet feature complete.

In addition, the Security UPDATE newsletter will inform you of security patch locations for any product that relates to Windows platforms, including security patches from third-party vendors. Until next time, have a great week!