Microsoft's monthly Patch Tuesday rhythm has been running since October 2003. Five months in, the operational pattern is clearer; a short note on what the rhythm actually produces.
The rhythm itself
The pattern Microsoft committed to:
- Security advisories shipping on the second Tuesday of each month.
- Out-of-band emergency advisories possible but rare.
- Pre-notification to specific customers under embargo three days ahead, allowing some operational planning.
- Each advisory includes severity rating (Critical / Important / Moderate / Low), affected products, mitigations, workarounds, and the patch itself.
The rhythm has held. October 2003, November 2003, December 2003, January 2004, February 2004, March 2004 — all on schedule. The exception was the out-of-band MS04-011 treatment around the LSASS vulnerability — but that emerged after the Sasser trajectory; the regular cadence has been undisturbed.
What operators get from the rhythm
Three operational benefits.
Predictable maintenance windows. Rather than scrambling to deploy patches whenever they ship, operators can schedule monthly maintenance windows aligned to the second Tuesday. The cumulative operational discipline is meaningfully better than the previous reactive pattern.
Better testing time. The pre-notification window gives operators with mature testing pipelines a few days to validate patches against their estate before deployment. The cumulative deployment confidence improves; specific application-compatibility issues surface in test environments rather than in production.
Cleaner risk conversations. "When are you applying the September patches?" is a question with a coherent answer; "When are you applying patch X?" was a question that required tracking dozens of separate timelines. The conversation with non-technical leadership is easier; the operational discipline is more visible.
What is being lost
Two costs to the rhythm.
Embargoed vulnerabilities are public for longer. Microsoft now sometimes sits on a vulnerability for weeks before the next Patch Tuesday, even when researchers have provided private disclosure. The operational logic favours the rhythm; the security trade-off is that a vulnerability known privately is potentially leaking to attacker channels during the wait.
Patch Tuesday is a target. Attackers know when patches ship. The window between disclosure and operator deployment is now predictable. The patch-to-exploit gap I have been writing about for years has a more visible structural shape.
The Sasser timeline is informative. MS04-011 published 13 April 2004; Sasser appeared 30 April. Seventeen days. Most of that time was operators deferring deployment; some was attackers building the exploit. The rhythm gives both sides a more predictable timeline.
What I am doing
For my own infrastructure: patches deployed within 72 hours of Patch Tuesday for any host running an affected service. The cumulative discipline produces bounded exposure.
For client deployments where I have advisory roles: 7-day deployment as the default, accelerated to 24-48 hours for any patch involving remotely-exploitable network-facing services.
For my structured-log analysis: tracking the exploitation activity that emerges in the days following each Patch Tuesday. The patterns inform the deployment urgency for subsequent months.
What I expect
Two predictions.
The rhythm continues without disruption. 95%, deadline end of 2004. Microsoft's commitment is real; the operational benefits compound; the trajectory will continue.
At least one further out-of-band advisory before year-end. 60%, deadline 31 December 2004. Specific severe vulnerabilities will continue requiring out-of-band treatment. The exception is bounded; the rhythm is not.
For my own writing: continued tracking of the pattern. The rhythm is now part of the operational landscape; specific events test it.
More in time.