MS Critical Updates and client management

["O'Callaghan, Daniel" <Daniel.OCallaghan () SINCLAIR EDU>]

I've searched the archives and effective practices, but haven't found anything specific to this issue.
I'm looking for input on effective practices for MS Critical Update deployment, specifically the timelines from MS 
release to client
deployment.
The majority of clients that authenticate to our domain are configured using standard "images" based on the systems' 
intended use.
We recently began using SUS to update clients, and it appears effective, but there is disagreement over when the 
updates should be
pushed.
Simplified, there are two schools of thought: 
1. All client updates/patches should be installed and vetted on all standard client image configurations in our test 
lab for 5-6
days prior to deployment as the risk and potential impact of a patch breaking something is greater than the risk of an 
exploit
within this timeframe.  
2. Critical updates should be installed and vetted on the most common client image configurations in our test lab for 
1-2 days prior
to deployment as the risk and potential impact of an exploit (as we approach the zero day) is greater than the patch 
breaking
something.
 
I realize this is an oversimplification of an industry-wide dilemma,  but am looking for the groups' input as to the 
current risk
balance for effective practice.  
Or have we become so polarized that we are missing something? (Abandoning MS is not a viable option) 
 
 
Daniel V. O'Callaghan, Jr., CISSP
Information Security Officer
Sinclair Community College
444 West Third Street, 14-002
Dayton, Ohio 45402-1460
937-512-2452
daniel.ocallaghan () sinclair edu
 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.