If the update has been released for a few days, even if problems have already been reported, software vendors can sometimes be slow to acknowledge the problems, much less fix them.

In some cases it’s due to simple laziness, cost, or a distaste for change, but I’ve heard many XP holdouts say that they didn’t want to buy a new computer and were afraid upgrading the ones they have would “break things.” Microsoft’s own Security Patches Best Practices documentation on the Tech Net web site contains the statement that “the risk of implementing the service pack, hotfix and security patch should always be less than the risk of not implementing it” and goes on to say “You should never be worse off by implementing a service pack, hotfix and security patch.

If you are unsure, then take steps to ensure that there is no doubt when moving them to production systems.” Unfortunately, it seems many of their customers unsure these days.

So what are the steps you need to take to ensure there is no doubt?

Obviously sticking your head in the sand and ignoring all updates out of fear that one will crater your systems isn’t the wisest course of action.

That’s why many have begun to take a “wait and see” approach, delaying patch installation for a week or two in order to let someone else be the “guinea pig.” Then, if no major problems emerge in the tech press after that time, they’ll go ahead and roll out the patches to their own machines.

Another advantage of waiting is that even if the software vendor promptly issues new patches, or “fixes the fixes” after problems are identified, it can create a major pain point for those who then have to uninstall the original patch before they can install the new one.

In many cases, updates need to be applied in a particular order.

The official documentation for the update (for example, in the case of Microsoft security updates, the associated Security Bulletin and KB article) sometimes don’t tell the whole story.

Some software vendors provide more documentation than others, but most put out at least minimal explanations of what the vulnerabilities are that are being addressed, what specific software components are involved, and what any prerequisites are for installing the patch.

Often problems could have been avoided if the user or IT admin had simply read all of the documentation before applying the updates.

Following a number of recent high profile “patch fiascos,” IT departments (and individuals) have become wary of allowing automatic installation of security (and other) updates, lest the “fix” may prove to cause more trouble than it’s worth.