How I should approach patching our SharePoint servers, to make sure I will not face un-expected problems

Question

I am managing 2 SharePoint servers 2013, which are installed inside windows server 2008 R2, as follow:-

1. Dev Farm. Which have both sql server & SharePoint on the same VM.
2. Live Farm. Which have 2 VMs; SharePoint & sql server.

Now I am facing this problem:-

1. Our system admin patch our servers each month.

2. What they do is that they install the patches from this link https://technet.microsoft.com/en-us/security/bulletin , which contain windows, office & SharePoint security updates

3. And this is part of our security policy to make sure our servers Dev & live have the latest security updates.

4. My problem is that these patches sometimes contain SharePoint security updates, and installing these updates will mainly update some SharePoint features which might cause un-expected problems.
5. Mainly because some SharePoint security updates such as https://support.microsoft.com/en-us/kb/2965219 , include non-security fixes.

Currently I am approaching these patches as follow:-

1. I inform our system admin to install the patches on our Dev machine first.
2. Then I run the SharePoint product configuration wizard.
3. After that I test all the site collections + managed services (we have managed Meta data & search) + layout.
4. If I find any problem, we will not patch the live server unless I fix any problem on Dev.if my test did not find any problem , we patch our live server, then I run the product configuration wizard , do a smoke test..

The problem of my current approach:-

1. It is really time consuming, sometimes I spend 2 days to do full test on dev.
2. Sometimes SharePoint security updates will change the farm build number. For example in our case , the last time I install a full CU was on October 2014 (since it contain fixes to problem we were facing) and I got this farm build number 15.0.4659.1001. after that i have never apply any full CU. but we have been patching our servers each month and this result in upgrading our farm from 15.0.4659.1001 (Oct 2014) To 15.0.4763.1000 (Oct 2015). So now our farm have Oct 2015 farm build number 15.0.4763.1000, although we have not installed the related full CU.

So can anyone advice on these points:-

1. Is it a valid and recommended approach to install all the security patches from this link https://technet.microsoft.com/en-us/security/bulletin , each month. Or we should exclude SharePoint updates?
2. Do I need to install full CU after any SharePoint security patches? Or my current approach is valid ?
3. will my farm get corrupted or hard to track, if i keep installing SharePoint security updates in this way ?

Answer 1

You already found out a lot of stuff regarding security updates, CUs and version number increments. There's nothing wrong in your post, but i would like to add some comments especially to your questions:

1. It is valid to install security-patches for Windows including SharePoint specific security-updates (if there's one available that month). Theoretically this shouldn't break things. But Microsoft is not perfect in providing patches, and sometimes they publish buggy updates. One example just occured some weeks ago. Security-Patch MS16-004 broke a lot of farms at our customers. More information on that example can be found here: http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=616. So testing is also recommended for security-updates. Or wait with installation until others did that for you :-)

2. You do not have to install a CU after applying security updates, even if they increment your Farm-Version. If you want to install a CU, you should use one that increments your Farm-Version again. I have seen problems with the version check if you do not so (i.e. if you install a security fix that brings your Farm-Version to January 16 CU level, you should minimally install February CU to be fine).

3. As described, your way to patch the farm is valid. But because of the possibility of a buggy patch, things might break unexpectedly.

One EXCELLENT source for SharePoint patches is the list from Todd Klindt: http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=346. Read 'Bugs, Notes and Regressions' to find the errors that hurt a lot of people.

My standard-recommendation is to install only CUs one or two times per year and to exclude SharePoint security-updates in the monthly patchday (just install 'Windows-generic' security updates). SharePoint security-updates can mostly be excluded via WSUS if you exclude the 'Office' category for your SharePoint server. But i can understand if your company-policy forces you to update your servers AND applications shortly after a hotfix is released. A lot of people also apply this policy if they publish their farm to the internet. Then you have to live with that unsureness or take the time for testing.

Answer 2

While recommended to install security updates as soon as possible, you will need to evaluate the security risk of not installing a particular security patch. This is something we will not be able to help you with.

You do not need to install the Cumulative Update if you do not wish to install it.

Yes, some non-CUs increment the farm build number due to an updated copy of Microsoft.SharePoint.dll. Other security patches may only deploy new JavaScript or ASPX files, etc. which would not increment the farm build number.