Hi @_Nobody_ ,
great question. While I generally agree with @nhvdwalt and @SASKiwi , I would say:
- it your / your company decision.
- I would make the SAS Platform to follow the general patches policies at your company: make it standard and not let any application be an exception
- as such, you will need to identify which bits of SAS are more or less critical: were do you find more complains from users, what is more exposed to possible security attacks (such as public Web applications) and receiving security audits, etc
- and identify the availability and kind of availability your system must provide: 99.5% 80% with or without planned downtimes?
- SAS maintenances is like upgrading the system to minor versions ... hence more than patche/hotfixess, ir more like migrations, even if they are not big or just upgrades-in-place. Hence, yes, every year or couple of years are OK. Nevertheless, yes, they would bring a lot of patches on them.
- In regards of hotfixes ... if you plan to apply them, do not let a lot of time to pass between them or between an installation/upgrade and application of hotfixes (normally no more than 4-6 months): they can be too many and many of them might require manual actions, prone to human errors especially if the amount is large. If the list is big, ask when the next maintenance is available: probably a maintenance would be worth it.
- Every month, get the report of available hotfixes, just to review the report and identify if there is something interesting/useful. It costs close to nothing in effort and it will help you to be pro-active with your community of SAS users and managers.
- If you have security audits or web applications exposed to the outside world or secured communications across SAS services (SSL, TLS) or from SAS to other services, indeed, good idea to pay attention to the security bulletins on a daily or weekly basis, and those SAS hotfixes report I mentioned earlier. It will help you as well to be proactive with your stakeholders. Don't wait until you receive a Security Audit, in certain cases, it might be too late.
- Keep your stakeholders informed of your montly and/or weekly/daily advise/alerts in regards of recommended hotfixes to apply and their impact. And, perhaps, of the other available hotfixes, to give them the chance to identify if any of them might be interesting. We administrators are generally more technical and, even if we want to be closer to the business, we tend to separate ourselves from the functional needs a bit. Hence it might be a good idea to let a key/power users from the functional team to evaluate together with you.
Again, these are my suggestions as individual and based on my experience with small, medium and large SAS platforms. I hope it can help, perhaps with just perspective.
Once you take some decisions, please let us know which ones you took. I think your perspective will help other SASAdmins. 🙂
Best regards,
Juan
