none
How I need to approach patching our SharePoint server and installing the latest security updates RRS feed

  • Question

  • I am working with a customer on a new SharePoint 2013 project. Now last time I worked on a project with them was 1 year ago, where after installing a fresh version of SharePoint , I installed the January 2016  full CU , then I run the project configuration wizard and start implementing the new project.. and everything went fine.

    Now this week, we want to start phase 2 of the project, so I login to the server for the first time from one year ago. And first thing I checked, is if they have installed any new SharePoint updates , and I find that there are many SharePoint security updates which have been installed during 1 year, as follow (the ones installed on 29/01/2016 are the ones installed as part of the full CU which i did):-


     

    Now I checked with their system admin team on why these SharePoint security updates were installed!!, and they mentioned that they have the following patching policy:-

    -       1. Each 1-2 month, they path all the windows servers. And for this they use a tool named GIF

    2. Where they install any security updates for windows OS any the application installed (SharePoint) in my case.

    3. And this policy is a must, as they mentioned.

    So now I am confused/frustrated/angry on how I need to approach the following 6 points, taking into consideration the above patching policy they have:-

    1. When they patch the server, they install the windows and SharePoint security updates and restart the server, they have never run the product configuration wizard for SP.so what does this mean? Is the SharePoint Farm currently in an inconsistent state ? as there are some SharePoint security updates being installed , but they did not run the product configuration wizard??
    2. Is there any risk that installing SharePoint security updates can break some functions or can it break any customization we did? Or security updates for SharePoint will not have any effect on the application data, settings, configuration.. keeping in mind that on some security updates for SP such as https://support.microsoft.com/en-us/help/3115294/ms16-088-description-of-the-security-update-for-sharepoint-foundation-2013-july-12,-2016  it contain non-security fixes as well. .
    3. Now I am trying not to over think the situation as much as I can.. Now at the end the security updates we are installing are provided by Microsoft so the risk of installing these updates should be minimal,, is this correct?
    4. Now let say a security update break something in my farm,, then I should not worry a lot as Microsoft should provide a hot fix sooner or later , is this correct?
    5. From a professional point of view, is installing SharePoint security updates a MUST and a Recommended task that we should do,, to make sure our farm is secure.. as security to out customer is on top of their requirements (and this should always be the case)?
    6. In our case SharePoint is being used as an intranet site, there is no public facing sites,, so is security a big deal here !!

    So can anyone advice on my above 6 points?



    • Edited by johnjohn11 Saturday, February 11, 2017 3:37 AM
    Saturday, February 11, 2017 3:36 AM

All replies

  • Hi johnjohn123,

    1. If the security updates of the SharePoint server are installed, and the SharePoint products configuration wizard is not run, then it means the security updates are not completely applied. The SharePoint farm is not inconsistent state. If there are not security updates, the main functions of SharePoint farm can work fine.

    For more detailed information, you could refer to the article below.

    Why we recommend / require to run the Configuration Wizard also for Security fixes

    https://blogs.technet.microsoft.com/stefan_gossner/2015/09/09/why-we-recommend-require-to-run-the-configuration-wizard-also-for-security-fixes/

    2. The security updates will not break main functions in SharePoint 2013. And it may break some functions in SharePoint. To minimize this effect, you should install the security updates of SharePoint 2013 according to best practice.

    And what do you mean “it contain non-security fixes as well”?

    3. These security updates for SharePoint 2013 are tested by Microsoft product group elaborately.

    4. Microsoft may provide a hot fix later for the issue, you could keep an eye for the issue.

    5. Installing SharePoint security updates is not a must task but a recommended task. If you need to resolve some specific issues, you could install the security updates.

    6. Security updates is not the big deal in your scenario.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, February 13, 2017 7:45 AM
    Moderator
  • Hi johnjohn123,

    1. If the security updates of the SharePoint server are installed, and the SharePoint products configuration wizard is not run, then it means the security updates are not completely applied. The SharePoint farm is not inconsistent state. If there are not security updates, the main functions of SharePoint farm can work fine.

    For more detailed information, you could refer to the article below.

    Why we recommend / require to run the Configuration Wizard also for Security fixes

    https://blogs.technet.microsoft.com/stefan_gossner/2015/09/09/why-we-recommend-require-to-run-the-configuration-wizard-also-for-security-fixes/

    2. The security updates will not break main functions in SharePoint 2013. And it may break some functions in SharePoint. To minimize this effect, you should according to best practice for installing the security updates of SharePoint 2013.

    And what do you mean “it contain non-security fixes as well”?

    3. These security updates for SharePoint 2013 are tested by Microsoft product group elaborately.

    4. Microsoft may provide a hot fix later for the issue, you could keep an eye for the issue.

    5. Installing SharePoint security updates is not a must task but a recommended task. If you need to resolve some specific issues, you could install the security updates.

    6. Security updates is not the big deal in your scenario.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thanks a lot for your replies.

    Please find my comments inline:-

    >>The SharePoint farm is not inconsistent state. If there are not security updates, the main functions of SharePoint farm can work fine.

    Can you please explain this in more details please? as i did not get your point correctly ..

    >>To minimize this effect, you should according to best practice for installing the security updates of SharePoint 2013.

    also i did not get your point correctly, so can you adivce more on this please?

    >>And what do you mean “it contain non-security fixes as well”?

    for example inside this sharepoint security update link it also contain a list of non-security fixes as mentioned on the following text " This security update contains improvements and fixes for the following nonsecurity issues:....".. so in this case some sharepoint security updates might contain non-security fixes which might chnage some features and layout of my sites..

    >>3. These security updates for SharePoint 2013 are tested by Microsoft product group elaborately.

    Yes I know those updates are being tested by Microsoft, but i have faced a problem around one years ago, where installing a security updates have break some features as describe here link. the problem that when installing a security update you do not have to be on a specific farm build number, so Microsoft can not test all the farm cases. for example let say a new security update is announcement-ed on Feb 2017, then some admins might install this security update while their sharepoint farm build number is January 2017, while other admins might install this security update while their farm build number of May 2016, and so on...  so it will be hard for Microsoft to test all the cases as each farm might have its own farm build number and patches paths

    5. Installing SharePoint security updates is not a must task but a recommended task. If you need to resolve some specific issues, you could install the security updates.

    but usually SharePoint security updates will fix security issues and vulnerabilities , so it is hard to examine if a specif sharepoint security update are going to resolve some issues,, this will be more valid in case of applying non-security updates is this correct ?

    6. Security updates is not the big deal in your scenario.

    so if you were in my place you will not install any security updates for sharepoint ?

    Final question. is there any harm if i keep installing sharepoint security updates only without installing full CUs for let say the next 1-2 years? now i have not read any article if this is a supported scenario or not..

    Monday, February 13, 2017 2:33 PM
  • Hi johnjohn123,

    1. The security updates will resolve the problems in SharePoint, but it will not break the main functions in SharePoint. 

    2. I want to say that you should install the security updates for SharePoint according to the official documents.

    5. These updates is used to resolve problems in SharePoint. If you need, you could install these updates for your issues whether security updates or not.

    6. If I need the security updates to resolve the problems in SharePoint, I will install the security updates.

    About harm if you keep installing SharePoint security updates only without installing full CUs for let say the next 1-2 years, it is difficult to detect the harm because it depends on the SharePoint environments.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 17, 2017 9:55 AM
    Moderator