May 20, 2005 10:08 AM PDT

Cheaper to patch--Windows or open source?

Related Stories

Flaw finders go their own way

January 26, 2005
Microsoft has sparked heated debate by claiming that Windows software is cheaper to patch than open-source alternatives.

A Microsoft-commissioned study--conducted by its business partner Wipro--outlined the main areas of so-called "cost savings" by using Windows.

The survey of 90 organizations found that Windows database servers cost 33 percent less to patch than their open-source counterparts. Respondents said on average, Windows clients are 14 percent cheaper to patch.

The findings were criticized in several quarters, with some critics dubbing them unrealistic and outdated.

These sorts of studies can't be used as a real-world guide to the cost of patching or maintaining applications, said Frost & Sullivan Australia security analyst James Turner. "All organizations have different needs," he added.

"ROI (return on investment) and TCO (total cost of ownership) figures should be taken as a guide--they are the vendor's estimates," Turner said.

Paul Kangro, Novell solutions manager for Asia-Pacific, highlighted several problems in the research.

Although the study was conducted last year, it referred to problems faced by administrators during 2003--before significant improvements were made to Linux patching tools, Kangro said. "We didn't have tools like Xen for Linux then. When I patch my Linux box I don't need to bring it up and down any number of times."

There was also no mention of costs associated with rebooting systems after a patch is applied. "If I am patching a Windows box I typically need to find a time where I can bring it offline and reboot it. That is not mentioned anywhere in this report, which I find rather interesting," Kangro said.

However, Sean Moshir, chief executive of application patch specialist PatchLink, said that Microsoft's patches are in fact cheaper to apply than open source.

"PatchLink's finding is that on a per-patch incident basis, the Microsoft patches are cheaper to apply. Testing Microsoft patches for quality assurance and documenting their positive and negative behaviors are also cheaper than open-source software (per incident). This is mainly due to the fact the open-source software can have a much larger variety of configurations and setup," Moshir said.

Novell's Kangro conceded that "some technical issues in the past meant Linux was 'procedurally' more difficult to cope with" but said: "If I have somebody that is equally skilled on both platforms, I don't believe it is complex."

"Generally the issue is one of familiarity--people may be able to potentially patch Windows boxes faster because they have had a lot of practice," he said.

The research, titled "The Total Cost of Security Patch Management: A Comparison of Microsoft Windows and Open Source Software," is available free at Microsoft's "Get The Facts" Web site, which aims to persuade customers that proprietary software is superior to open-source alternatives.

The Get the Facts campaign, in existence for a number of years, has come under heavy fire from open-source advocates over its use of methodologies that generate TCO and ROI statistics that favor Windows.

The open-source community has retaliated with its own research showing proprietary software is more expensive to use and maintain.

Wipro is a Certified Gold Support Partner for Microsoft and has forged a strong relationship with the software heavyweight since 1999 across areas such as systems integration and .Net migration.

Survey participants were companies in the United States and Western Europe with between 2,500 and 113,000 employees.

Munir Kotadia of ZDNet Australia reported from Sydney.


Join the conversation!
Add your comment
I might have...
put more faith in this report if it wasn't commisioned by Microsoft and done by one of it's business partners.

I have also noticed that Microsoft tends to compare it's latest version with older version of Linux. I have also noticed that when Microsoft commissions a report they tend to try to tip the favor to their own products. I'm sure that most companies do that.

This is a good example of why a report needs to be done by a company that has no benifit or gain for testing the latest stable versions of both OS and/or the different database servers. But like that's ever going to happen.

Actually what I would like to see is a report that test an OS out of the box and one where they let the different companies come in and tweak their OS's to exploit it's full potiential. Although I'm sure neither would give you any real world examples it would be interesting to see what can be done.

I would also like to see the same thing done with database servers, application servers, desktop os's, and any other software that can be tested like that.
Posted by System Tyrant (1453 comments )
Reply Link Flag
And just HOW is this surprising?
Okay, let me get this straight.

A MICROSOFT-commissioned study about a MICROSOFT weakness comes out with a pro-MICROSOFT result, and the IT world is supposed to just (continue to) lie back and say, "Well, it *was* a study! Microsoft wins again! All Hail our Redmond overlords"

Meanwhile, in some cases we've had to wait MONTHS to get a security patch when critical flaws in open-source programs are often fixed (and patches released) within DAYS. Oh, and most open-source programs don't require rebooting either.

I'm no Linux person (I don't even run Linux at work or at home), but this "study" is nothing more than giving me salisbury steak and trying to cover it up as filet mignon. Unfortunately, too many IT managers will look at it and say, "Well, it's probably just a new recipe."
Posted by JLBer (100 comments )
Reply Link Flag
Surprise surprise...
I like microsoft and all, but I think there is something inherently wrong with them funding a study that studies microsoft... It makes it seem as though microsoft is just pushing out propaganda. This might not be the case but I would believe it alot more if it were an indipendent study. Thats like the CEO of channel 3 saying they have better news than channel 4.
Posted by (18 comments )
Reply Link Flag
They are sort'a right.
Yes. Applying patches are cheaper on WIndoz. Yes, on Windoz
people have much more experience of that kind. Yes. Absolutely.

Why is it so? - because most people on Linux do not apply
patches. It is just done automatically. The cost/overhead of
patch applying on Linux is nonexistent.

So obviously something nonexistent cannot beat The Real Thing
- the true pain in the ass which is Windoz maintenance.

Of all OS update systems, company with deepest pockets made
it most stupid and unusable. Mac OS X, SuSE, RedHat, Debian,
etc did it simple. And it works. M$? - pumped much money into
some stupid tool which was failing to download critical update
for 2 weeks?! That's just not funny, especially compared to my
old Woody Debian server which had updates installed
automatically from cron for 1.5 years with no problems.

And then, when you hear about the problem - how can you find
out is your Windoz vulnerable? No way, since M$ doesn't use
version numbers of subcomponents of Windoz. You have to go
on-line to expose yourself further. That just sucks.
Posted by Philips (400 comments )
Link Flag
Microsoft funded study = biased study
Nobody can take any "study" serious if it's funded by one side!
Posted by bobby_brady (765 comments )
Reply Link Flag
Well, who ELSE would fund such a study?
Who else would fund such a study? The Keebler Elves, maybe? Would it have been 'unbaiased' if Apple or Red Hat sponsored it?

If you have a problem with the study, get a copy of it and find holes in it. But complaining about who funded the study - well, that just shows you cant find substantive objections to the study results, so you have to attack the funding. A typical technique among psuedo-scientists.
Posted by (402 comments )
Reply Link Flag
Only Microsoft
As the results are common sense to so many... nobody (except Microsoft of course) would waste such monies proving something that's already common sense. (* GRIN *)

Posted by wbenton (522 comments )
Link Flag
,,,and contrary results are prohibited
Doesn't M$ still threaten to sue anyone who "violates its EULA" by publishing a benchmark?
Posted by landlines (54 comments )
Reply Link Flag
Microsoft vs. Open Source
Yes it is interesting how Microsoft funds a study to compare its operating system with Linux. One thing I find interesting is that there was no mention of the past patch processes that cost companies more money then they bargained for when purchasing microsoft products. For instance, working with Acess 2000 and SQL Server 7. Any DBA and/or developer who's worked with the two would have known that this was one of the biggest patch jobs Microsoft came up with to get the two to work together.

I think the only point to this article was to say that microsoft is simply better. It couldn't possibly be that Microsoft is cheaper, because open source is free. Patching shouldn't cost anything on either sides, so we can rule that out. The choice to study patching rather than the overall cost over time is not concrete enough. You can't judge an operating system simply because patching it is cheaper.
Posted by (8 comments )
Reply Link Flag
Get the fact
Microsoft patches though easy to install; in more than 30% of the cases requires reboot. This practically means, getting all service down.
if I compare this with opensource, there shall be at most a service disruption. However Microsoft beats opensource on the ease of installation of a patch.

From my experience in Linux field, I have come to know that best way to install a patch on Linux is to download the source and build it on the local server. It works.
Microsoft patch installation is idiot-proof. Linux need a real system administrator to administer a patch.
Posted by (29 comments )
Reply Link Flag
Wong Assumption based on incomplete info
Numerous things are overlooked or circumvented in Microsoft's comparison analysis.

1. Microsoft assumes that most people will perform auto-updates making it much cheaper. This is BIG MISTAKE #1.

Most IT managers DON'T allow auto-updates because they never know when those updates will happen, they don't know what applications might be affected and or what new problems caused by that update might occur.

That said... the auto-update theory gets thrown right out the door.

2. Most IT managers perform a test manual update in a lab environment and thoroughly test it to become aware of any problems before they're propagated out onto their networks.

If Microsoft would fix things without breaking other things... some of this cost might be reduced, but the testing would still have to occur until Microsoft could prove that none of their patches would cause adverse effects... which is virtually impossible and thus the chances of reducing such costs is also virtually impossible.

3. At least with open source patches, you decide what patches and when to make them yourself.

Open source is open and thus so is information about it's patches. Microsoft clumsely explains what some patches are but because they're proprietary... they don't disclose the full details and as such, raise all kinds of questions which require indepth study and analysis to find out about. If you add that time into the upgrade process, Microsoft's implementation would end up becoming more expensive.

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.