Hello everyone! My name is Dan Conley and I am a Program Manager on the SMS/SCCM Sustained Engineering team. One of the many areas I am responsible for is the monthly "Patch Tuesday" processes for the SMS team. This means that my team tests and validates that all of the SMS Patch tools can successfully detect and deploy that months security updates prior to thier release.
As the inagural post of this blog, I thought I would answer a question that I get a lot: "What are all of the Patch Scan tools that SMS 2003 supports, and when should I use one vs. the other"?
SMS 2003 supports the following software update (a.k.a. patch) scan tools:
Security Update Inventory Tool (SUIT) - This was the first "generation" of the SMS scan tools and is based on the MBSA 1.2.1 scan engine.
Office Inventory Tool for Updates - (ODT) This scan tool is based on the Office Updates Dectection Tool (ODT) from the Office Deplopyment Resource kit. This is also the same technology that the stand alone version of MBSA 1.2.1 uses for its Office update detection.
Both of the above scan tools are bundled together and are collectivley called the "Systems Management Server 2003 Service Pack 1 Scan Tools" Don't be confused by the name, as both of these tools work just fine on SMS 2003 SP2 and SMS 2003 SP3.
Entended Security Update Inventory Tool (ESUIT) - this scan tool is based on the stand alone Enterprise Scan Tool (EST). The MBSA 1.2.1 scan engine has a hard coded list of products it can support. Therefore we were forced to create a tool to "fill the gaps" so to speak. The ESUIT is fills that gap. Unlike the SUIT or ODT which will automatically (in the default configuration) "sync" a new catalog every month, the ESUIT must be downloaded and installed on the site servers in order to ensure you are scanning with the latest catalog.
The combination of the SUIT, ODT and ESUIT will provide SMS 2003 customers with complete Microsoft Security Update detection and deployment coverage for all but the latest products.
This is important: Due to the limited archtiecture of these legacy scan tools, most new products are not supported. For example, Windows Vista, Internet Explorer 7, SQL Server 2005, Exchange 2007, etc. Check out the MBSA home page for the latest product list and information.
Intventory Tool for Microsoft Updates (ITMU) - This is the latest generation of security update scan tools for SMS 2003. It is based on the Microsoft Update offline catalog, and contains security udpates, update rollups, and service packs for all products supported by WSUS. ITMU was designed to replace the need for the original 3 separate scan tools, and allow SMS admins to only have to manage one scan tool.
If all of the prodcuts in your environment are currenlty supported by WSUS, then you can (and should) only use ITMU as your security update tool for SMS 2003.
The most common caveot that I see is that some customers still need to support Office 2000 in thier environment, and ITMU does not support Office 2000 updates. In these cases, you have a few options, but all of the scan tools can coexist, therefore it is possible to run ITMU for everything, and just use the ODT for the machines that are still running Office 2000.