When it comes to applying patches for software, you can either stay up to date with them and apply the patches as they become available - preventive, or you can just ignore the patches and if you happen to run into any problems apply patches that you think might fix the problem - reactive.

When it comes to Windows (or OS in general) and Virus scanning software, I think most people are preventive, and I would sure hope most companies are as well.  You need to keep up with all the security patches, and with all the viruses popping up every day you certainly want to update your virus software.  Bottom line, I think when it comes to security most people will keep up with updates/patches.

Now, what I think may be a problem, and I'm not sure if this is true, just what I've seen, is that most other software patches are reactively installed.  Why is that?  Well, because most people probably are the opinion that 'if it ain't broke don't fix it'.  I certainly am that way with most software.  I never install the latest video drivers unless I have problems.  I never patch any software if I don't have to.  And this may be even more true for companies running production environments.  They certainly don't want to install patches that may break code/software running on that system.  If the system is working, and everything is working why waste time/money and potentially break things on that system. 

While this seems to be true, I'm not sure I like it.  If you later run into any problems, I guarantee you waste more time/money on trying to figure out what the problem is and what patches you need to install.  And then you need to keep track of what patches you have and you haven't installed in case you need to replicate the system.  And most likely at some point in time you will have to install patches, at which point you will have to fix code if it breaks.

If you are preventively installing patches, if something breaks you can just roll back the patch.  Most patches I’ve seen can be uninstalled.  You can, at this point, take the time, at your leisure, to fix whatever issues you have and re-install the patch once everything’s working. 

If you are reactively installing patches, it means you are fixing something that’s already broken.  At this point, if you introduce new problems, you’re in trouble either way.  Uninstall the patch and you still have your original issue, or take the time right then and there to fix the new issues. 

If you are having new problems, what do you do, do you try to find which patch fixes that particular issue and only install that patch, or do you just install all of them to make sure you’re up to date?

If you’re only installing patches that fix certain issues, you’ll have to keep track of what patch was installed for what issue in case you need to replicate/rebuild the system.  If you decide to install all patches you could potentially aggregate multiple issues that each patch could be causing (rather than dealing with each patch individually as it gets released and installed).

I think I’m leaning more towards the preventive way.  Reactive, while seems good at the time, it can be messy when it hits you all at once.  It can be real bad when you deal with software that has lots of patches (*caugh* Crystal *caugh*).  And what's even worse is when you have multiple environments and you don’t keep track of what patches were installed where.  Sometimes some issues appear in one environment and not another, and you may forget to apply patches to environments that don’t necessarily need them.   You preventively install up-to-date patches and you wouldn’t have this problem, me thinks!