If you use HotPatching, you can install General Distribution Release (GDR) security updates on servers that run 32-bit versions of Microsoft Windows Server 2003 Service Pack 1 (SP1), without restarting the servers.
Note Not all security updates support HotPatching, and some security updates that support HotPatching might require that you restart the server after you install the security updates. Before you use HotPatching to deploy a security update in a production environment, you must determine whether the security update that you want to install supports HotPatching and you must evaluate the security update installation in a comparable test environment.back to the top
To evaluate whether a security update uses HotPatching, follow these steps:
- Test whether the security update package supports HotPatching. To do this, follow these steps:
- Read the Microsoft Knowledge Base article that is associated with the security update. You can potentially use HotPatching to install the security update if the article specifies that you can do this. You cannot use HotPatching to install the security update if the article so specifies or if the article does not mention HotPatching.
- Examine the contents of the security update package. You can potentially use HotPatching to install the security update if the security update package includes files that have ._hp file name extensions. For more information about how to extract security update packages, click the following article number to view the article in the Microsoft Knowledge Base:262841 Command-line switches for Windows software update packages
- Test whether the installed binary file on the computer can be updated by using HotPatching. To do this, follow these steps:
- Click Start, click Run, type %windir%\system32, and then click OK.
- In the System32 folder, right-click the Authz.dll file, and then click Properties.
- Click the Version tab.
- Under Other version information, click File Version in the Item name list.
- View the value in the Value box. You can use HotPatching to install the security update if the Value box contains one of the following values:
You cannot use HotPatching to install the security update if the Value box contains the following value:
Note HotPatching is not supported in the original release version of Windows Server 2003.
Important To avoid having to restart production servers unexpectedly after you install a security update, you must install the security update in a test environment first, and then make sure that the installation works as you expect.
If you install the security update as an attended installation, a message appears if the installation fails or if you must restart the computer. If no message appears, the installation is successful and you do not have to restart the server. Examine the installation log file if you want to see the installation status. The installation log file is located in the %windir% folder and is named KB######.log where###### is the associated Microsoft Knowledge Base article number.
If you install the security update as an unattended installation, examine the return code or the more comprehensive installation log file for the security update installation status. You must examine these installation status messages every time that you use HotPatching just as you would check to determine the installation status of a general security update. For more related information, see the "How to install a security update by using HotPatching" section.
- To make sure that the correct user rights are set on the computer, see “Debug Programs” in the “More Information” section of the following Microsoft Knowledge Base article:888791 The user rights that are required by Update.exe
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
To test HotPatching in your environment, follow these steps:
- Identify the computers that you will use for testing. The test computers must represent a cross-section of the computers that are in the environment where you plan to install the security update. The computers that you use for the test must be equipped with the software and hardware devices that are typically used in your organization. You must also include a server that has a high computational load.
- Examine the versions of the binary files that will be updated when you install the security update. Record this information if you want to compare versions after you install or remove the security update.
- Make sure that the contents of the security update package are clear and complete.
- Use HotPatching to install the security updates on each test computer just as you would in your production environment. For more information, see the "How to install a security update by using HotPatching" section.
- If you expect to deploy security updates from remote locations, replicate the installation of those security updates in your test environment in a similar manner.
- Examine the installation log files that are created during the security update installation.
- Remove the security updates by using the Add or Remove Programs tool in Control Panel. If you recorded the version numbers of the binary files, make sure that the version numbers are what you expect.
- Reinstall the security update to make sure that the results match those of the first installation.
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type WindowsServer2003-KB######-x86-LLL.exe /hotpatch:enable, and then press ENTER.
Note###### is the security update number and LLL is the language version of the security update. For example, ENU means English.
- At the command prompt, type exit, and then pres ENTER.
If you performed an unattended installation then you must examine the return code or the installation log file for messages. These messages inform you whether the security update was installed and whether you have to restart the server.
The installation program always returns one of the following error codes:
|ERROR_SUCCESS (0)||The security update was installed, and the server does not have to be restarted.|
|ERROR_SUCCESS_REBOOT_REQUIRED (3010)||The security update was installed, but the server has to be restarted.|
|ERROR_INSTALL_FAILURE (1603)||The security update was not installed. Try the installation again.|
If you install multiple security updates that each replace the same file and you want to return the computer to its original state, you must remove the most recently installed security update first, the next most recently installed security update second, and so on. For example, assume that you installed security update A, then you installed security update B, and then you installed security update C, and they each replace the same file. To return the computer to the state that it was in before you installed security update A, you must remove security update C first, followed by security update B, and then security update A. If you try to remove the security updates in a different order, you receive a warning that lists all security updates and programs that have been installed since you installed the security update that you are trying to remove. If you ignore the warning and continue, these security updates and programs might not work correctly.For more information about the order of removing security updates, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 897341 - Last Review: 29 Mar 2017 - Revision: 4