How to use HotPatching to install security updates for Windows Server 2003 Service Pack 1

This step-by-step article describes how to determine whether a security update supports HotPatching, how to set up an environment to test HotPatching, and how to install security updates that use HotPatching.

If you use HotPatching, you can install General Distribution Release (GDR) security updates on servers that run 32-bit versions of Microsoft Windows Server 2003 Service Pack 1 (SP1), without restarting the servers.

Note Not all security updates support HotPatching, and some security updates that support HotPatching might require that you restart the server after you install the security updates. Before you use HotPatching to deploy a security update in a production environment, you must determine whether the security update that you want to install supports HotPatching and you must evaluate the security update installation in a comparable test environment.

How to identify HotPatching compatibility

HotPatching is compatible with security updates that provide isolated fixes for individual functions. HotPatching is not compatible with security updates that update several interdependent functions.

To evaluate whether a security update uses HotPatching, follow these steps:

1. Test whether the security update package supports HotPatching. To do this, follow these steps:
   1. Read the Microsoft Knowledge Base article that is associated with the security update. You can potentially use HotPatching to install the security update if the article specifies that you can do this. You cannot use HotPatching to install the security update if the article so specifies or if the article does not mention HotPatching.
   2. Examine the contents of the security update package. You can potentially use HotPatching to install the security update if the security update package includes files that have ._hp file name extensions. For more information about how to extract security update packages, click the following article number to view the article in the Microsoft Knowledge Base:
      262841 Command-line switches for Windows software update packages
2. Test whether the installed binary file on the computer can be updated by using HotPatching. To do this, follow these steps:
   1. Click Start, click Run, type %windir%\system32, and then click OK.
   2. In the System32 folder, right-click the Authz.dll file, and then click Properties.
   3. Click the Version tab.
   4. Under Other version information, click File Version in the Item name list.
   5. View the value in the Value box. You can use HotPatching to install the security update if the Value box contains one of the following values:
      • (srv03_gdr.######-####)
      • (srv03_rtm.######-####)
      • (srv03_sp#.######-####)
      Note The # symbol denotes the file version numbers.
      
      You cannot use HotPatching to install the security update if the Value box contains the following value:
      • (srv03_qfe.######-####)
   Note Even if you determine that you can use HotPatching to install a security update, you might still have to restart the server after you install that security update. For example, security updates are cumulative. This means that a security update with the version GDR might include an earlier security update that requires that you restart the server. If no security update was installed earlier, the HotPatch enabled package will act identically to security updates that are available today. Also, you might have to restart the server if you install a security update while you are running Rights Management or while debugging a program.
   
   Note HotPatching is not supported in the original release version of Windows Server 2003.
   
   Important To avoid having to restart production servers unexpectedly after you install a security update, you must install the security update in a test environment first, and then make sure that the installation works as you expect.
   
   If you install the security update as an attended installation, a message appears if the installation fails or if you must restart the computer. If no message appears, the installation is successful and you do not have to restart the server. Examine the installation log file if you want to see the installation status. The installation log file is located in the %windir% folder and is named KB######.log where###### is the associated Microsoft Knowledge Base article number.
   
   If you install the security update as an unattended installation, examine the return code or the more comprehensive installation log file for the security update installation status. You must examine these installation status messages every time that you use HotPatching just as you would check to determine the installation status of a general security update. For more related information, see the "How to install a security update by using HotPatching" section.
3. To make sure that the correct user rights are set on the computer, see �Debug Programs� in the �More Information� section of the following Microsoft Knowledge Base article:
   888791 The user rights that are required by Update.exe

Note Some programs may have compatibility issues with HotPatching.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

How to test HotPatching in your environment

Although this release of HotPatching has been tested in a variety of environments, you cannot test all hardware configurations and line-of-business programs that might be present in any particular environment. As with any installation of critical software, we recommend that you test the use of HotPatching with each security update before you deploy the security update to your production servers. Additionally, you might want to test HotPatching on a pilot group of servers to make sure that it works in your environment as you expect. If your servers are set up with different Windows components and have different binary files, HotPatching installation results might vary between servers.

To test HotPatching in your environment, follow these steps:

1. Identify the computers that you will use for testing. The test computers must represent a cross-section of the computers that are in the environment where you plan to install the security update. The computers that you use for the test must be equipped with the software and hardware devices that are typically used in your organization. You must also include a server that has a high computational load.
2. Examine the versions of the binary files that will be updated when you install the security update. Record this information if you want to compare versions after you install or remove the security update.
3. Make sure that the contents of the security update package are clear and complete.
4. Use HotPatching to install the security updates on each test computer just as you would in your production environment. For more information, see the "How to install a security update by using HotPatching" section.
5. If you expect to deploy security updates from remote locations, replicate the installation of those security updates in your test environment in a similar manner.
6. Examine the installation log files that are created during the security update installation.
7. Remove the security updates by using the Add or Remove Programs tool in Control Panel. If you recorded the version numbers of the binary files, make sure that the version numbers are what you expect.
8. Reinstall the security update to make sure that the results match those of the first installation.

How to install a security update by using HotPatching

To install a security update by using HotPatching, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type WindowsServer2003-KB######-x86-LLL.exe /hotpatch:enable, and then press ENTER.
   
   Note###### is the security update number and LLL is the language version of the security update. For example, ENU means English.
3. At the command prompt, type exit, and then pres ENTER.

Important If you install the security update, you receive messages about the success of the installation. You do not receive any messages if you performed an unattended installation, redirected the messages to an installation log file, or both. These messages inform you whether the security update was installed and whether you have to restart the server.

If you performed an unattended installation then you must examine the return code or the installation log file for messages. These messages inform you whether the security update was installed and whether you have to restart the server.

The installation program always returns one of the following error codes:

How to remove a security update

You can remove security updates that were installed by using HotPatching, but you must restart the server.

If you install multiple security updates that each replace the same file and you want to return the computer to its original state, you must remove the most recently installed security update first, the next most recently installed security update second, and so on. For example, assume that you installed security update A, then you installed security update B, and then you installed security update C, and they each replace the same file. To return the computer to the state that it was in before you installed security update A, you must remove security update C first, followed by security update B, and then security update A. If you try to remove the security updates in a different order, you receive a warning that lists all security updates and programs that have been installed since you installed the security update that you are trying to remove. If you ignore the warning and continue, these security updates and programs might not work correctly. For more information about the order of removing security updates, click the following article number to view the article in the Microsoft Knowledge Base: