Patch Management 101

Is that software you're operating, or a worn-out, leaky boat? As soon as you patch one leak--a hole in the software code that allows hackers to abuse your system--another one springs up.

And some of those patches make things worse, not better. Sailors know that if a ship is going down, you don't drill a hole in the hull to let the water out. Don't you sometimes wish software programmers were that smart?

But let's face it: Computer applications today are in constant need of repair. I'm here to give you some advice about when and how to download and install the patches that update your software--fixing problems and adding (hopefully) useful features. And just as important, I'll tell you when to skip a download and let things be.

In general, I've got two rules for patch management.

Basic Rule No. 1: You should regularly update any program you depend on for security, such as an antivirus program or personal firewall. The scum of the Internet keeps up to date; you can't afford to let them get ahead of you.

Basic Rule No. 2: When it comes to programs that aren't related to security, if it ain't broke, don't fix it. The new software version is probably slower than the old one. And although it isn't likely, the latest update could create a conflict that wasn't there before. So upgrade only if you really need to--or if, because of some neat new feature, you really want to.

Of course, Microsoft Windows and its gaggle of associated programs (Internet Explorer, Outlook Express, Media Player, etc.) require a rulebook all their own.

On one hand, many of the software patches Microsoft issues are security related--although most people could avoid the harm that Microsoft's buggy software causes by running third-party security programs or simply practicing safe computing (i.e., don't open e-mail from people you don't know). On the other, the software behemoth also updates its software to add features that you may or may not want.

How do you decide if a Microsoft patch is a must-have or a may-have? And what's the best way to keep your system updated without going crazy? Let's start by getting better acquainted with Microsoft's update service.

Windows Update 101

Computer user, meet Windows Update. Depending on how your system is set up, it could be working its magic without your knowledge, but I thought a formal introduction would be a good idea.

Select Start, Windows Update (in Windows 98, 2000, or ME) or Start, All Programs, Windows Update (in Windows XP) to launch the Windows Update Web page. You may be asked if you want to install and run Windows Update; you do.

Once you see the Windows Update page, click the "Scan for updates" link. The update service will compare its catalog of downloads against what is running on your PC. After it examines your system, Windows Update will give you another option to click: "Review and install updates."

Now you get to examine all of the available patches for your version of Windows that you haven't already installed on your PC. Unless you're a studious updater, you may find Microsoft has lots of suggestions for software you might want to download and install. You'll find them separated into three categories: Critical Updates and Service Packs, Windows (titled for your particular version, such as Windows XP), and Driver Updates. Let's consider each one.

Critical Updates and Service Packs: Every update in this category--and only this category--is already selected for downloading and installation before you pick and choose. You should install everything that Windows Updates puts in this section. I'd caution you to think about two, though.

The first is Internet Explorer 6.0, identified in the update window as Microsoft Internet Explorer 6 Service Pack 1. This is a big, slow upgrade; and frankly, the difference from earlier versions isn't worth the time. To remove it from your menus of update patches, click the Remove button. (Note: If you're running Windows XP or you've already upgraded to Internet Explorer 6.0, you won't see this option.)

The second is Windows XP Service Pack 2, which is due to launch in August. On one hand, it's a major upgrade--a long download and a significant reworking of your operating system. On the other, PC World put a late beta version of SP2 through its paces, and it was impressive. Among its features are a major overhaul to Windows' built-in firewall and the addition of a Security Center Control Panel.

Windows: Go ahead and scroll through this section to see if there's anything worth downloading, but chances are there isn't. What criteria should you use? If you see a patch for a problem you know you have, go ahead and get it. If there's a new feature you want, ask yourself how much you really need it. Keep in mind that installing new software always means changing what might already be a stable system.

Driver Updates: Conventional wisdom states that you should update your hardware drivers regularly. I don't believe that's entirely necessary, but if your computer is behaving oddly (or at least more oddly than usual), try updating your drivers, one at a time, until either the problem goes away or all of your drivers are updated.

But how do you update drivers? You can start at this section in Windows Update, but several of the drivers you need probably aren't listed here. The next place to go is each vendor's Web site, but this can be annoying and time consuming--it's astonishing how hard it is to find your way around some of these sites. If worse comes to worse, go to your favorite search engine and search for the name of your hardware and the word driver.

After you've made your selections in all three update categories, click "Review and install updates," make one last check of what you selected, and click "Install Now." This starts the download and installation process.

If you're lucky, you can go for a snack and Windows will handle all the patchwork. If you're unlucky, one or more of your updates will insist on being downloaded and installed separately, instead of with all the others. It may then require you to reboot your system, revisit Windows Update, and start over again to download all the other patches you wanted.

Automate Windows Update

If you don't want to remember all these details, you can make the whole Windows Update process automatic by doing one of the following, depending on which version you use.

Windows 98: In Windows Update, when you're selecting which patches to install, go to the Windows section (here called "Windows 98 and Windows 98 Second Edition"), select the patch called "Windows Critical Update Notification," and click Add.

Windows 2000 and ME: Select Start, Settings, Control Panel. (In ME, you may then have to click "view all Control Panel options.") Double-click the Automatic Updates icon for a dialog box of options. You can probably figure out where to go from here.

Windows XP: Select Start, right-click My Computer, select Properties, and click the Automatic Updates tab. You'll get the same dialog box as in 2000 and ME.

These options, by the way, automatically do pretty much what I've laid out earlier. They download the critical updates, but not the service packs or less important Windows updates and drivers. So it's still a good idea to visit Windows Update on your own every month or two to see if there's anything worth downloading.

Two Computers, One Download

Downloading updates takes time, especially if you have a dial-up connection. And if you have two computers, the process takes twice as long.

The solution is visiting another Web page: the Windows Update Catalog, where you can download the patches without installing them. You can then put them on a CD or local network and share them among your computers.

But there's a catch: The catalog doesn't scan your PC to determine what updates you already have. If you're going to use the catalog, you need to keep track of your updates yourself. If you're not comfortable with this, skip the catalog.

To use the catalog, go to the Windows Upload Catalog page. Click "Find updates for Microsoft Windows operating systems," select your version of Windows, and click Search. Then pick the programs you want to download.

You can also put a link to the catalog into Windows Update's menu. After you open Windows Update as described earlier, click "Personalize Windows Update" in the window pane on the left. In the right pane, check "Display the link to the Windows Update Catalog under See Also," and then click "Save Settings." Now Windows Update Catalog will appear as an option in the left pane, under--you guessed it--"See Also."

When Updates Go Wrong

As I mentioned, updates sometimes make things worse. So, you might ask, why update anything? Because the danger of not fixing security problems is greater than the danger of fixing them.

Luckily, you can undo some Windows patches. In Windows Update's left panel, click "View installation history." This brings up a list of the updates you've downloaded and installed. If you see a "Read more" link, click it and scroll to the bottom of the resulting browser window for uninstall instructions.

But what if there is no "Read more" link or uninstall instructions? Unfortunately, your options are limited. If you're using Windows ME or XP, you can use System Restore to bring Windows back to an earlier condition, but this may not work. If you use a more robust system backup program such as Symantec's Norton GoBack or Recovery Commander (in V Communications' Fix-It Utilities), you can try that.

Or you can just be patient. Microsoft usually fixes bad patches within a few weeks. Hopefully the new patch that fixes the old patch won't need another patch.

PC World Contributing Editor Lincoln Spector writes the monthly Answer Line column.