Since its emergence early this decade, patch management has become "operationalized," says Ronni Colville, an analyst at Gartner. For instance, the function is being subsumed into PC configuration management vendors' suites, such as Symantec (Altiris) and Avocent (LanDesk). However, she says, in most cases, these systems don't offer the richness of capability provided by point solutions.

Also see Patch Management Systems: Evaluation Criteria and Capabilities

Three main players remain in the point solution market: BigFix, Lumension and Shavlik. Still, Colville says, "no vendor can make a full business on just patch management, so they've brought in other functions." For instance, BigFix has broadened its security focus to include more configuration functions (such as inventory and software distribution), she says, while Lumension and Shavlik have begun to include functions such as security configuration, endpoint vulnerability assessment, and data leakage prevention.

Meanwhile, some companies continue to use Microsoft Windows Server Update Services (WSUS) to patch Windows operating systems and applications because it's free, but it's also more manually intensive.

Patch Management Package Selection: Two Prime Considerations

Configuration management versus patch management. A primary decision is whether to turn to a configuration management system for its patch capabilities or to a point product that may or may not also offer configuration capabilities. According to Colville, the reasons organizations choose the latter is they're not ready to commit to a full lifecycle configuration suite, or their current configuration management tools don't provide a best-of-breed patch management capability. The trade-off of having both in your environment, of course, is the need to deal with multiple agents and consoles.

Eric Maiwald, an analyst at Burton Group, suggests first evaluating your configuration management system for its patch management capabilities, since it might be advantageous and less expensive to maintain the same architecture for both functions, especially if it already works well in your environment. However, if you change your mind, the functionality will be more difficult to remove because the single-vendor approach means the software is embedded more deeply into your architecture.

Agent versus agentless. As Shavlik explains, agentless systems are based on push technology and on a centralized design. Server-based software scans the machines in the enterprise and initiates all actions on those machines. With agent-based solutions, client-based software scans the machine and communicates its findings back to the central console.