I suggest you check out the Tech Support Hot Fix Site if you haven't done so already and in particular the hot fix guide: http://ftp.sas.com/techsup/download/hotfix/hotfix.html

In general, hot fixes are not mandatory. In my experience they are only worthwhile applying if they address problems frequently experienced with SAS at your organisation. One sensible strategy is to apply maintenance at regular intervals (upgrade maintenance level) say every 2 or 3 years and apply all relevant hot fixes at the same time. How often you do this may depend on your company's maintenance policies.

I agree with @SASKiwi , my experience over the years have been the same. There are no hard and fast rules. Definitely apply major version numbers e.g. 9.3 to 9.4 and maintenance packs e.g. M5 to M6. Hot fixes generally you'll apply if you have a specific problem and there is an identified fix for it.

Also keep an eye on the SAS Security Bulletins page for security alerts and associated fixes: 

https://support.sas.com/en/security-bulletins.html

Hi @_Nobody_ ,

great question. While I generally agree with @nhvdwalt  and @SASKiwi , I would say:

• it your / your company decision. 
• I would make the SAS Platform  to follow the general patches policies at your company: make it standard and not let any application be an exception
• as such, you will need to identify which bits of SAS are more or less critical: were do you find more complains from users, what is more exposed to possible security attacks (such as public Web applications) and receiving security audits, etc
• and identify the availability and kind of availability your system must provide: 99.5% 80% with or without planned downtimes?
• SAS maintenances is like upgrading the system to minor versions ... hence more than patche/hotfixess, ir more like migrations, even if they are not big or just upgrades-in-place. Hence, yes, every year or couple of years are OK. Nevertheless, yes, they would bring a lot of patches on them.
• In regards of hotfixes ... if you plan to apply them, do not let a lot of time to pass between them or between an installation/upgrade and application of hotfixes (normally no more than 4-6 months): they can be too many and many of them might require manual actions, prone to human errors especially if the amount is large. If the list is big, ask when the next maintenance is available: probably a maintenance would be worth it.
• Every month, get the report of available hotfixes, just to review the report and identify if there is something interesting/useful. It costs close to nothing in effort and it will help you to be pro-active with your community of SAS users and managers.
• If you have security audits or web applications exposed to the outside world or secured communications across SAS services (SSL, TLS) or from SAS to other services, indeed, good idea to pay attention to the security bulletins on a daily or weekly basis, and those SAS hotfixes report I mentioned earlier. It will help you as well to be proactive with your stakeholders. Don't wait until you receive a Security Audit, in certain cases, it might be too late.
• Keep your stakeholders informed of your montly and/or weekly/daily advise/alerts in regards of recommended hotfixes to apply and their impact. And, perhaps, of the other available hotfixes, to give them the chance to identify if any of them might be interesting. We administrators are generally more technical and, even if we want to be closer to the business, we tend to separate ourselves from the functional needs a bit. Hence it might be a good idea to let a key/power users from the functional team to evaluate together with you.

Again, these are my suggestions as individual and based on my experience with small, medium and large SAS platforms. I hope it can help, perhaps with just perspective.

Once you take some decisions, please let us know which ones you took. I think your perspective will help other SASAdmins. 🙂

Best regards,

Juan

I forgot to answer your last question.

There is not such thing as "mandatory" hotfix. You decide what must be mandatory.

But the hotfix report will let you know which ones are Critical, because they might resolve a major issue in the software: such as security, or stability.