With Microsoft releasing more than 230 security bulletins since the beginning of 2000 - most of those requiring some sort of corrective action to fix a hole in one of its Windows-based products - the numbers speak for themselves: Windows patch management in an enterprise environment is a nightmare.

We tested four stand-alone Windows patch management products - BigFix's Enterprise Suite, Gravity Storm Software's Service Pack Manager 2000, PatchLink's Update and Shavlik Technologies' HfNetChk Pro to find out if they improve patch deployment. (See "Not in the game" for declining vendors.)

Patch management tools should identify accurately which patches are missing on each system, provide an easy means to deploy patches and provide administrative reports tracking patch status across multiple machines.

The products we tested (see How we did it) attack the problem in two ways - with or without agent software. Agent-based products - such as those from PatchLink and BigFix - can greatly reduce network traffic by offloading processing and analysis to the target system, saving data until it needs to report to the central server. But they also force an administrator to manage software on all systems the product analyzes.

With agentless products - such as those from Shavlik and Gravity Storm - you don't have any distributed management issues, but whenever a scan is requested all tests and communications travel over the network. If scanning a domain with a large number of systems, the increase in network traffic can be quite significant.

PatchLink's Update 4.0 earned the Network World Blue Ribbon award for its ease of use, flexibility, automation and letting you easily create deployment packages.

PatchLink has two components - PatchLink Update Server and the agent. The Update Server is installed on a Windows 2000 Server with SP2 and Internet Information Server (IIS). The installation process sets up a Microsoft Data Engine (MSDE) database, which can be upgraded to a full SQL Server after installation. This upgrade is recommended for large organizations.

You easily can push the agents to targeted machines using the Agent Install Wizard, or agents can be installed during the logon process.

For management purposes, administrators connect to the PatchLink server through a Web interface, which lets you view reports, deploy packages, create packages and view system inventory.

PatchLink, the company, monitors Microsoft and other vendors, such as Citrix Systems and Adobe, for newly released patches. PatchLink engineers test the patches, put them into PatchLink's proprietary package format and deploy them to customers' local PatchLink servers through a periodic subscription-checking process, which occurs over Secure Sockets Layer at a time the administrator configures.

Administrators receive e-mail informing them of a new patch on the PatchLink server. If it is a critical patch, it also is downloaded to the Update Server on the customer's network. Noncritical patches will be downloaded at the administrator's request.

PatchLink automatically caches critical patches on the Update Server, a marked difference from BigFix and the agentless products. Caching patches is useful and the recent Sapphire/Slammer SQL Server worm proves the point. If a worm or other malicious act is taking place that slows down the Internet, how will administrators download patches to their critical servers? With cached patches, you already have the files at your location.

On the other hand, cached patches must be stored somewhere, so your system needs to include adequate disk space.