Is It Patched Or Is It Not?

Patch management tools may produce conflicting results. A single host may be found to be missing a patch by one tool and not missing that same patch by another. The patch management strategy within our organization calls for using one tool to deploy patches and another for validating that patches have been installed. Discrepancies between the tools are frequent enough that using just one tool is clearly not adequate. Is the patch applied or isn't it? Should it be? How do we know? Software vendors answer these questions in their advisories. Patch management vendors compile metadata that contains the logic to determine whether a patch is applicable to and installed on a host. Their tools analyze files, the registry, and host configuration settings against their metadata. The result is a patch applicability and installation status report. A disagreement amongst tools can leave an organization asking the same questions software vendors have already answered.