Superseded patch settings - Patch at your convenience!

Patch management varies from environment to environment. The type of OSes, versions of software, and applications you need in your network for business critical activities will greatly influence the type of patching you require. You might be running applications that require regular updates, applications that are only compatible with certain versions of the software, and various other specific requirements in your environment. To cater to such cases we have introduced extended support for superseded patches. This document has all the information on what this new features entails, how to enable it, and what the expected behaviour is.

What are superseded patches?

If a vendor releases a patch or an update that includes/replaces the earlier patch, then the new patch is called superseding patch and the older patch is called superseded patch. Sometimes Microsoft and other vendors wrap multiple releases into a single package, and that package replaces all similar updates before it. In this case the updates replaced by this single package are called superseded patches.

How can you tell if a patch is superseded?

To check for superseded patches in ManageEngine's patch management products, navigate to Patch Mgmt --> Patches --> Supported Patches view. Here you can create a filter with the status = Superseded to get a list of all the supported patches that have been superseded.

Do we need to install superseded patches?

Generally we don't need to install superseded patches. We can clearly save network bandwidth and installation time if we deploy the superseding patch (ie, the single update that packs the previous updates) instead of two or three separate updates. Not to mention, the newer patches might come with fixes for the superseded patches, so to stay up-to-date, it is better to install the latest patches. However some Organizations might wish to deploy the superseded or older patches for various reasons, some of which have been mentioned below.

What are the cases that require installing superseded patches?

1. Server patching: Admins who undertake sequential patching for servers might not finish patching the servers by the time a new version of the patch/superseding patch is rolled out. This might cause various servers to have different versions of the patch. In such cases it is useful to have the superseded patches and install them to have all your servers running the same version.
2. Organizational requirements: Some organizations have explicit policies to install older patches as they wait a few weeks to see if the patches released are bug-free before deploying them in their environments. Such enterprises can enable and use the Superseded patches option.
3. Third-party application patching: Some applications might be compatible on older versions of the software/the superseded version of the software. The new version might cause misbehaviour in these applications and you might wish to avoid this. In such cases, you can avoid the newer patch version and install the superseded stable version.

ManageEngine's Enable Superseded patches option

The reasons stated above are only a few of the actual requirements that enterprises have. It is to tackle such situations that ManageEngine has introduced its latest option - "Enable Superseded patches". This option is available for Windows OS and with this option the superseded patches are available for deployment, 3 months after they have been superseded. They can be found under the 'Missing Patches' tab for 3 months after they have been superseded, if admins want to install them on machines missing them.

Steps to enable this option:

1. Navigate to the Admin --> Settings --> Patch Database settings.
2. Click on the Enable Superseded patches option to retain superseded patches for a period of 3 months.
3. Once this is done, you can find the superseded patches in the various views under the Patches tab after the successive sync between the Central Patch Repository and the Patch Manager Plus server.

Behaviour - What happens when this option is enabled?

Once the option is enabled the superseded Windows OS and non-OS (third-party application) patches of the past 3 months is made available under the various patches views (Missing patches, Installed patches, Applicable patches, and Supported patches).

Question 1: What happens when we select all patches of the past 3 months in one deployment? - In this case, the agent will install the oldest patches first.

Question 2: How are third-party patches with dynamic URL handled? - By dynamic URL, we mean that the newer version of the patches are available on the same URL, replacing the older versions. In such cases, if the Superseded patches option is enabled, the admin must download the older patches before they are replaced with the latest ones.

Question 3: How does this option reflect on the Decline patches feature? - Usually when a patch is declined, the superseded versions are also automatically declined and not shown under the Missing patches view. But if the 'Enable superseded patches' option is selected, even when a particular patch is declined, the superseded version of it is still shown under the Missing patches tab.