Patching Problems Part 1

I knew I would have to patch the OpsMgr system that I am working on at some time as the organisation I am working with is putting in Exchange 2007. At least now you can get the patches without having to phone Microsoft. Just request them and they will e-mail you a link.

Kevin Holman has a great post on all the hotfixes and which ones supersede which ones. http://blogs.technet.com/kevinholman/archive/2008/09/12/what-hotfixes-should-i-apply.aspx. There is always the great debate about applying patches with the philosophy of “if it ain’t broke then don’t fix it”. Although that used to be my philosophy years ago I am much more of the philosophy that you need to keep up to date. However I decided I definitely needed 2 patches for this environment – KB 954903 and KB 956689.

Having read the docs I knew I had to apply them to all management servers and gateway servers. And as Kevin says – check that the versions of the DLLs have been done just to make sure. That went well and then back in the console all the agents popped up as Pending as they needed the updates. I went about approving them. As these were in different environments with different domains I had to approve them per Management Server or Gateway as it needed the primary management server and an administrator user for those servers. No problem as the Agent view can neatly group them by management server.

Kevin also has some great posts on checking that the patches have been applied.
By reporting
http://blogs.technet.com/kevinholman/archive/2008/06/27/a-report-to-show-all-agents-missing-a-specific-hotfix.aspx

By State View and SQL Query
http://blogs.technet.com/kevinholman/archive/2008/06/24/how-do-i-know-which-hotfixes-have-been-applied-to-which-agents.aspx

And how the hotfix process works
http://blogs.technet.com/kevinholman/archive/2008/06/25/a-little-tidbit-on-hot-fixes-for-opsmgr.aspx

And as he says the patch list is all in one 256 field. The two patches I applied took up 241 characters already! This is not good. There is so much junk in there taking up space and you really need to know what patches have been applied.

System Center Operations Manager 2007 Agent installed.{7EEAF9D0-F78D-4C94-874E-66A756A4C510},C:\WINDOWS\Installer\fd1b6428.msp,KB 954903,20080916; {668B6309-9D96-405D-8B98-439C9C5A9A37},C:\WINDOWS\Installer\1874861.msp,KB 956689,20080917;

clip_image002

A bug has been raised on this but there is no fix yet. Everyone should contact them and tell them that this needs fixing!

The actual patching sounds simple enough but I ran into a couple of problems.

The first was that after I approved the pending agents and looked in the State View I had created some fields were bigger than others. Using the SQL queries provided in Kevin’s blog I queried the SQL database and copied the results into an Excel spreadsheet.

select bme.path AS ‘Agent Name’, hs.patchlist AS ‘Patch List’ from MT_HealthService hs
inner join BaseManagedEntity bme on hs.BaseManagedEntityId = bme.BaseManagedEntityId
where hs.patchlist not like ‘%954903%’
order by path

Take out the line starting “Where…” to get the full list. Or take out the not on that line to get the ones that have the patch etc. Good little query.

In the spreadsheet insert 2 columns between the servers (column A) and patch list (now becomes column D) columns. Assuming that you have put headers in row 1, then insert the following formulas into row 2, column B =ISNUMBER(SEARCH(”954903″,D2)) and into column C =ISNUMBER(SEARCH(”956689″,D2)). Then copy and paste the formula down and you should see TRUE or FALSE depending on whether the KB number is found or not.

Note that Management Servers and Gateway Servers do not show a patch list.

What I found was that only 25% of the servers had taken both patches but all had taken the first patch. It was not a single management server or type of OS. It just seemed random. With help from Kevin I worked out what I needed to do. He said that “putting agents in pending is just flipping a bit in the database and putting them in the pending actions table. It REALLY is doing a “repair” behind the scenes when you approve them. The repair forces the agent to download a new MSI from the \Agentmanagement directory of it’s primary MS, PLUS any patch MSP’s present. You need to make sure ONLY the correct and current MSP’s are present, and manually delete any older ones which are not applicable. You should be able to deploy a ton of hotfixes at once, and then patch/deploy new agents. The agents should pick up all the MSP’s present.”

I checked the management servers and gateways and they all had both MSPs. As he says it is really a repair so I just did a repair on all the agents that only had one hotfix and that sorted them out.

As for the second problem, more on that later.

Advertisements

Comments are closed.

%d bloggers like this: