SQL patches not in patch policy

We have a patch policies running on our servers, no major problems with them.

Patch policy will install automatically fixlets that are:

Site: Patches for Windows
Category: Security Updates
Source Severity: Important

I’ve noticed that SQL fixlets that fall into those categories won’t show up in the policies.

Example:

  • MS20-FEB: Security update for SQL Server 2014 SP3 CU4 - SQL Server 2014 SP3 - KB4535288
  • MS19-JUL: Security update for SQL Server 2014 SP2 CU17 GDR - SQL Server 2014 SP2 - KB4505419 (x64)
  • MS18-JAN: Security update for SQL Server 2016 CU - SQL Server 2016 - KB4058559 (x64)

I assume that it’s intentional to not include SQL server fixlets in patching policies.
is this correct?

How is it excluded?
I need to know so I can exclude these fixlets our webreports and I want to use the same parameters/properties on the fixlets to define them in the reports.
Currently we are using Content-Name does not contain “SQL” but think that is not specific enough at could lead to false positives/negatives.

With regards
Sigurdur

If I’m not mistaken, one of the requirements for a fixlet to appear in Patch Policies is for it to have a default action… which the SQL Server fixlets do not have.

Thank you for the reply.
This is a new concept for me i’ve never come across this difference before. Can you please explain what the differences between Actions and Default are?
Is there a specific need for Default Actions?
Why would some Fixlets have Default Actions and others not?

With gratitude
Sigurdur

Here’s some documentation on Default Actions: https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Console/c_actions.html

Basically, if the default action is set, then the action that it points to will be the one that gets executed or set when performing various Bigfix activities.

For example, if you were to right click a fixlet, or set of fixlets, in the Bigfix console, you would see an option to “Take Default Action”. This makes it easier to deploy a large set of fixlets without having to individually select the action from each fixlet.

Another example would be if you right clicked a set of fixlets in the console and added them to a baseline. In the baseline creation dialog, the actions for each fixlet would automatically be set to the default without having to specify the action you want for each fixlet.

The SQL Server fixlets don’t have a default action because there are two actions that perform differently depending on the SQL Server environment… .so it’s unclear what should be the “default”.

1 Like

@bma thank you for that detailed answer, it has been a great help.
It has helped me to understand the issue.