I am new to the company where I work and responsible for the patch management process. Before I started here there was none. I have now implemented a patch management process, but we have a server farm of 500 Windows servers not connected to the Internet consisting of Windows 2000 and 2003 servers, with various service packs.
For these servers, I still have to see how to get up to date with the patches (some servers are missing patches as from up 2002). Now I have to make sure our servers are up to date with at least critical patches which all require reboots for patches of the last five years. Of course our clients like to limit the downtime of the servers. Do you have any suggestions?
Unfortunately, patching servers to keep them current and avoid problems is a cost of doing business. You should have some type of Internet connectivity to do the patching, because that will be faster than installing patches from CDs. While some patches let you hold off on reboots until the end, I would not recommend it; I prefer to apply the patches in stages, testing the server for proper operation between groups of patches.
To minimise the potential problems, there are several things you should do first to get ready. Make sure that all the servers are showing the same time and are using the same time source. I would also look into the server resource tools to run some additional server checks to look for possible Active Directory problems, etc, before and during the patch application process.
Because of the number of servers, I'd strongly suggest looking at a commercial patch-management solution such as PatchLink -- they can make the process easier and reduce the amount of overall downtime. In any case, schedule some additional tape backups to give yourself a safety net just in case. You may also want to factor in updates for additional services such as SQL, which will need updates applied that aren't a part of the base Windows server patch process.
Your clients need to understand that there will be some downtime. With some planning and the use of a commercial patch-management tool, you should be able to go a long way in minimising the amount of downtime. Once the servers are up to date, keeping them up to date on an ongoing basis shouldn't be nearly as involving.