Patching on the Rise at Microsoft

Ralph DeFrangesco

Microsoft recently admitted that it had released more patches during the second half of 2008 than it had in the beginning of the year. No surprise here, and we certainly didn't need Microsoft to tell us this. We could have looked at the history of its patches. What is surprising, in a weird kind of way, is the fact that Microsoft admitted it, which is something you don't see the software giant do all that often. Now let's look at the facts:


  • Microsoft fixed 67 percent more flaws in the second half of 2008 than in the first half.
  • It released 17 percent more security updates.
  • It patched 97 vulnerabilities in 42 separate security updates, compared to 2007 in which it patched 58 vulnerabilities in 36 updates.
  • During the second quarter, it released several multi-patches including:
    • MS08-052 - a five-patch update
    • MS08-058 - a six-patch update
    • MS08-072 - an eight-patch update
    • MS08-073 - a four-patch update


It would be easy for me to take a shot at Microsoft. However, I am not going to. I don't see how that would help anything. What I am going to do is offer advice. I don't pretend to know the first thing about running a software company, but as a user and security professional, I can offer my two cents to improve security and reliability:


  1. Don't redesign Windows again. We were all used to where things were and you moved them. Less frequent updates should equal less frequent patching.
  2. Don't redesign MS-Office again. See above.
  3. Remove all of the unused functions; they just take up space and cause vulnerabilities.
  4. Design with security in mind, not as an afterthought.
  5. Improve the graphics manipulation capability in MS-Word (my pet peeve).
  6. Why is the code for Windows so large? Code bloat.
  7. Cut down on the versions of Windows. It's too confusing.
  8. Microsoft has never provided a decent backup facility for Windows. Now is the time.


I truncated my list for brevity. My point here is that a good deal of Microsoft's problems come from the fact that it keeps changing rather than improving. Windows has been out since the 1980's. That means that Microsoft has over 25 years of experience with this product. You think it would have the bugs worked out by now? What do you think Microsoft could do to reduce the number of patches it releases?

Add Comment      Leave a comment on this blog post
Apr 22, 2009 2:31 AM David Corbin David Corbin  says:

"What I am going to do is ooffer advice. I don't pretend to know the first thing about running a software company".

Assuming you are not a medical doctor, would you offer advice about surgical options? More importantly would you expect anyone to care about your advice (nevermind listening to it).

I have been a professional software developer for over 32 years, and have run my own development firm for the past 25. Out of the items you listed, only #8 (backup software) has ANY merit whatsoever.

The code changes involved in Vista (and Windows 7) were primarily to design in security from the ground up. Yet ignorant users complained.

Windows 7 has a SMALLER footprint than Vista, even with additional features.

The number of versions of Windows is driven by the marketplace (primarily based on $$$). If Microsoft was to suddenly offer just the "Enterprise" class of products, do you think people would willingly pay the higher price for features they done need/use?

I would recommend that you stop posting advice on topics you admittedly know nothing about.


David V. Corbin

President / Chief Architect

Dynamic Concepts Development Corp.

New York, NY

Apr 22, 2009 5:08 AM blogster99 blogster99  says: in response to David Corbin

Look Hardcore,  The original poster has alot of valid complaints.  Ive been in the IT business for quite a few years too.  Let me repeat.  The first posters has other valid concerns:

#2 is valid.  dont redesign the user interface (the ribbon), AGAIN!

#5 is valid.  In short. It sucks.  deal with it. (and improve it MS)

#8 is valid.  The tools are pretty limited compared to other products like acronis, and ghost.  but its getting better with vista.

and please dont write a short novel to my reply.  I wont be back.

Apr 22, 2009 6:03 AM Bill Morgan Bill Morgan  says: in response to blogster99

Microsoft has taken a step backwards with their design philosophy with VISTA. I or should I say we have all suffered trying to live with this type of operating instability and slow performance. But Microsoft has suffered even more. Their reputaion as the Prime software supplier has suffered as well as their market share. They are beggining to look like IBM did a few years ago when they began to fail to satisfy the vast customer base they enjoyed. I had confidence in Windows XP, it has been a great product. I have little confidence in VISTA and tolerate it because I have to. If a viable oportunity to jump to another operating system does arise I would sadly leave Microsoft behind. I might even pay to go back to the more workable and stable XP platform. i suspect I am not alone. VISTA has also failed to deliver in the security sector as well.

Apr 22, 2009 6:45 AM David Corbin David Corbin  says: in response to blogster99

blogster99 (and others who feel the same way),

I have no problem conceeding #5 (MS-Word Graphics), but that is a single feature of a single product rather than a strategic issue.

For #2 (UI re-design), there are always the following groups of people to consider when any vendor makes a change to any product

a) Existing users who will abandon the product because of the change

b) Existing users who do NOT like the change, but continue to use the product

c) Existing users who do not have a strong opinion on the change

d) Existing users who LIKE the change.

e) New users whose choice is NOT influenced by the change.

f) New users whose choice is (positively) influenced by the change.

g) People who will NOT choose the product, independant of the change

h) People who will NOT  choose the product BECAUSE of the change.

"f" is typically the largest target market, and "d" may have an impact on how they influence others.

"a", "h" are definately "Negatives", and "b" may have an impact on how they influence others.

"c","e" and "g" are "zero-sum" and do not overly influence the impact of the change.

The majority of market studies show that "e","f" have been quite significant (these are prople who have NOT used the product previously, are introduced to it and LIKE it). There is very little material supporting a significant population in "h".

So the real question is "Is (f+d) > a"? If the answer is yes (which is my take on all of the available information, then the decision (taken independantly of other considerations). was the correct one.

Speaking personally (experience and professional observation), I found the first few weeks (3-6) of using Office 2007 to be a bit fustrating, and questioned the decision to make the UI changes. However after using it for well over a year, I hate having to go back and work with prior versions.

I also wonder how many people who "praise" XP (including the UI) remember how strong the complaints were (circa December 2001) about both the amount of resources it required and the desire to retain the Win98/Win2K type user interface. People tend to resist change sinply because it is change without doing an objective analysis of the impact of the change over time.

Apr 22, 2009 9:32 AM Jason Hall Jason Hall  says: in response to David Corbin


Thank you for the post. I was reading a comment made by a reader, David Corbin. I have a few comments on my own.

To start, your blog does have merit. If one were to read it through, they would see that the point you are making is that more patches have been released in their recent OS, and that patches have been provided for patches. Kind of an oxymoron. I do agree wholeheartedly that one must first consider what they are using when comparing XP to Vista (for example). I would assure you that the majority of clients I support are doing the same things they were doing before. So why upgrade? They have to. As upgrades or new releases come out, it usually means that we spend more time finding things that recognizing new features. Usually features that are not useful to business users, thus causing more security holes as you mentioned.

As for David's comments, I am surprised to read his response given his background in software development. For example, I am not a software developer but I could tear his response up to make him feel like he knows nothing about software. But that defeats the purpose of a blog. It is for sharing ideas and opinions. His doesn't yield a response. He must have had a bad day.


Apr 22, 2009 10:36 AM David Corbin David Corbin  says: in response to Jason Hall


Actually I have been having a rather good day. But I do get extremely fustrated when a person who admits to knowing nothing about a subject matter post advice on the topic. Post which ask questions trying to understand the rational for something they dont understand and wish to understand it a totally different matter.

In my second post I detailed part of the process which goes into making decisions during software development and the product lifecycle. Over the past year my company has invested significant time (translation $$$) converting many of our products from "Windows Forms" to "Windows Presentation Foundation". The reality is that this effort provides absolutely ZERO benefit at the actual level, but it makes the initial impression (including just seeing screen shots in advertising material) significantly more attractive to prospective buyers.

At the same time this UI change is taking place, we are adding additional functionallity (that could have been added just as easily without changing the UI significantly). There WILL be customers who will NOT purchase the upgrade (or renew support) because they dont like the new UI; but we believe that there will be more people who upon seeing the visuals will be "intrigued" enough to evaluate the product (where they may have completely passed over the product seeing the older UI).

This decision will have a significant impact on the companies financials. If our analysis is correct the new sales will far outweigh the lost customers. IF we are wrong, then sales will decline significantly for these products (even flat sales would represent lost net revenue becuase of the development costs). All I can say at this point is the decision is based on information that has served us well during the quarter of a century since our founding in 1984.

This also (indirectly) addresses the earlier comment about "Market Share".  One of our early products had a 90%+ market share for the three quarters it was released. Average sales were about 70 copies / month. Then two competitive products came out. This dramatically increased awareness of the need for such a tool. Over the next two quarters our estimated market share dropped to only about 25% of the market...but the market had exploded due to the increased awareness (and the larger advertising budget of the competitors) and our actual sales had actually climbed 500% (350 copies/mo). This just illustrates that market SHARE is not always a meaningful measurement (the exact opposite can be true where you capture a larger and larger share of a rapidly shrinking market - resulting in lower sales even with a higher share).

Do this mean I think Microsoft did "everything right"? Heck no! They have made (in my professional opinion) some very serious mistakes. But I would much rather see objective material that looks at the decision processes that yield various results (in a quantifiable manner) than posts such as Ralph's.

ps: Regarding the actual title, and initial part of the original post...Microsoft could very easily dropthe patch rate to ZERO. Simply by waiting until there was enough for a full service pack. Also look at the most recent security challenges between the various OS vendors and how well Microsoft has actually performed (on machines that were fully and properly patched on a timely basis....

Apr 22, 2009 11:19 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to David Corbin


I would normally thank someone for taking the time to post in this blog. In this case I will make an exception because I don't want to waste my words on someone that can't respect an opinion without being nasty.

I see that you are a (Microsoft) application deveoper, I will write this slow so you understand it...

Lets start with your lame comparrison about a medical doctor...what?

I want to make sure that I understand this. 32 years in the industry and you feel that there has been no code bloat in Windows? You must have worked at Microsoft because they are the only other people that feel that way. I was being nice in my original blog. Windows has so many problems with it that it is the only operating system with a day of the month named after it, Patch Tuesday.

So Windows 7 is smaller, who really cares? Saying that is like saying that trimming the eyebrows on an elephant makes it lighter (see I can use a lame comparrison as well). Here is another flash skippy, the consumer voted and Vista lost. Lets see, Windows is the only operating system that you can buy with a down grade, nice feature.

Since you like my advice so much, let me offer more; start coding for one of the big-boy operating systems and leave Windows 7 to crash and burn. What percentage of desktops has has Microsoft lost over the past few years? Pick a number, any number, it's all negative. It will just be a matter of time before they lose more to Linux and MAC OS.

Finally, the only new thing that has impressed me that has come out of Microsoft is that PC-MAC commercial...oh wait, that was from Apple, never mind.

P.S. I didn't mind your second post. I enjoy the fact that we are all passionate about technology. If you are going to be insulting, I suggest that you find another blog to post to because you are not welcome here.

Apr 23, 2009 7:05 AM David Corbin David Corbin  says: in response to Ralph DeFrangesco

Ralph,It seems you are the one who has a negative attitude rather than me. I was simply pointing out that your post contained no metrics or analysis, and that it was basically a negative rant without any material (see my comment on providing advice to a supplier below) to back it up. It was YOU who explicitedly stated you knew nothing about "running a software company".Lets look at your last post about "bloat". The accepted definition is " unwarranted or excessive growth or enlargement". Growth or size does NOT constitute bloat; it but we unwarranted or excessive.This can be looked at in a number of ways....The first is "feature" bloat. Capabilities of the product which are "unwarranted". (Nearly) every product has at least come features which are not needed/used/wanted by at least some of the users. But in order for an itemto qualify, it really needs to be something that has a negative impact on the users who dont use it and/or fail to provide a benefit to sufficient users to increase the adoption of the program.To quantify this, one should list ALL of the features provided by the product, then break them down by their impact on the ENTIRE user base. At this point one can calculate the ratios of features to user impact and arrive at a measurement.The second is "implementation" bloat. This is where a product requires more resources (e.g. CPU, Memory, Disk) in an "unwarranted" or "excessive" manner.Here one must be very careful. I well remember spending weeks tuning programs so they would fid in 4K or less memory. It was necessary based on the capabilities of the hardware. The growth of hardware capabilities has rendered this pointless for most applications.To arrive at a measurement in this area, one needs to measure the "costs" that would be involved in creating a "lighter" implementation. These involve direct development costs, impacts on extensibility and maintainability, and also reliability. One needs to address each element of the product both individually and in the context of the entire product and calculate the costs of each approach.As far as your observation that I am "a (Microsoft) application deveoper", that is true, but incomplete. Approximately 60% of my "development" in the past 10 years has been on Microsoft platforms (using Microsoft and other vendors development tools), but a full 40% has been on Linux, Max, Embedded Systems, and legacy operating systems VMS,CICS,etc. The vendor in question for this topic is to a fair degree immaterial. It is the approach of your posting that I have been questioning. Things would be significantly different, if the post had been in terms of "Vendor X spent $$$ on A instead of B...." then provided an objective analysis of that "B" would have provided (in terms of revenue, user adoption, etc.) and why that would have been more "appropriate".This type of analysis requires an in depth understanding of what is driving the vendor (and/or market); and is directly related to my original anology of a person having medical experience before offering medical advice. The goals of a supplier (increased net revenue) are distinct from the goals of a consumer (solving a problem). To "offer advice" to a supplier in a meaningful way IMHO must be done in such a way that the supplier will see the information as a means of increasinging sales or reducing costs.Returning briefly to the XP / Vista comparision. XP ran extremely poorly on a 2-3 year old machine build 1998,1999 when it was first introduced. My the mid-life point, machines had grown in capabilities that most machines still in the field easily ran XP. Yet when Vista was introduced peoples expectations were different, even though the situation was very similar...

Apr 23, 2009 8:44 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to David Corbin


I see that you really don't get it. The original post was about PATCHING. If you took the time to read it, you will see that it is filled with quantitative information. I'm not sure of your background so let me include a definition of quantitative - "of or pertaining to the description or measuring of quantity. Of or pertaining to a metrical system" (

Now lets look at my original post...

Microsoft fixed 67 percent more flaws in the second half of 2008 than in the first half.

It released 17 percent more security updates.

It patched 97 vulnerabilities in 42 separate security updates, compared to 2007 in which it patched 58 vulnerabilities in 36 updates.

During the second quarter, it released several multi-patches including:

MS08-052 - a five-patch update

MS08-058 - a six-patch update

MS08-072 - an eight-patch update

MS08-073 - a four-patch update

These are metrics. You can verify this information right from Microsoft. The remainder of the post was my opinion on how I thought that Microsoft could have cut down on the amount of patches. The key here is my opinion. In case you are not aware, this is a blog. A blog is where people express their opinions. Let me help you again here. I am enclosing the definition of a blog - "An online journal where an individual, group or corporation presents a record of activities, thoughts, or beliefs." (

Understand yet?


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.