Windows Server 2003 Custom Support – Patch Forecast

All good server operating systems come to an end

For those of you, who haven’t heard: Microsoft is retiring its Microsoft Windows Server 2003 operating system on July 14. Well, as a matter of fact, Windows Server 2003 has been out of regular end-user support for a while but Microsoft is finally pulling the plug on it completely. That means, even for enterprise customers, there are not going to be any more security fixes or patches after July 14. Still, we are going to do a patch forecast for it today. Read on to see how.

Microsoft has been encouraging migration for a while, of course. However, that doesn’t mean everyone is going to be happily migrated on July 14 – for numerous reasons, ranging from legacy business software to lack of license budget. You name it, you’ll find a company having failed to migrate because of it.

So, for those laggards, who have a “Premiere support” package going for them, Microsoft is offering extended product support or “Custom Support” (in exchange for quite a large lump sum of money of course) for Windows Server 2003. There are two options to acquire this custom support: either the “feel happy” variant where you pay a really large sum of money and get all released patches or you pay a smaller quarterly sum and then are charged per patch you want to acquire, multiplied by the number of systems you want to install it on. If you only intend to get patches as a “worst case scenario”, the later option is clearly the cheaper one.

Nonetheless, this comes with multiple hooks attached: for example, only patches for English versions are provided, servers must be fully patched and – the major bummer: you need to install updates yourself. There is no WSUS or anything automating the process, you need to figure out patch deployment on your own. Of course, you can use a product like Microsoft System Center Configuration Manager – but that assumes you already have it deployed beforehand. You don’t want to start rolling out SCCM just for that purpose, really.

To top it all off, there’s another major hook waiting: of course, there’s no guaranteed security for Windows Server 2003 any more. If you intend to buy extended support on a “per-patch” basis, i.e. only for the event that a system gets compromised and you want tools to patch security holes – then you will first need to have some kind of “detection” mechanism in place that actually tells you that there is a problem (think IDS…). Suddenly this whole endeavor becomes more and more like a rabbit hole, you’re falling into.

There is no clear cut answer to the dilemma of dealing with servers running an outdated operating system like Windows Server 2003. And I won’t try to even start giving one – that could probably fill multiple book volumes.

The Patch Forecast

However, if you find yourself in the spot where you’re acquiring custom support for Windows Server 2003, I might have a tidbit of useful information for you. After all, you might be wondering how many patches you can expect to see over the course of the next year – either because you want to estimate the required effort to deploy patches or budget the costs of acquiring patches until you’ve completed migrating or isolating systems.

For this purpose, I’ve done some extrapolation based on historic patch counts. I’ve taken a listing on Microsoft’s patches and fixes, which were released for Windows Server 2003 since its inception, and split up their counts over each month. This gave me a mean and variance for number of patches per each month. The resulting patch forecast is in the diagram below.

Windows Server 2003 patch forecast
Patch forecast: Average patch count (and variance) per month for Windows Server 2003

Clearly, there’s a two-month cycle going on here; every two months we get a larger number of patches. Furthermore, we can deduce a few more bits of information: assuming this cycle continues, it is likely that we won’t be seeing many new patches in July; however in August, there’s going to be a bunch of new ones.

I believe this actually fits the picture pretty well: July 15, many hackers will try their skills on compromising Windows Server 2003 systems. This will lead to new bugs being identified, which will take some time to create a patch for. Those patches will then be delivered in August (unless it’s really urgent, which will probably get published “out-of-band”, as Microsoft likes to call it).

So, in summary here’s my wild guess for the next few months:

Month Count
August 2015 2 – 5
September 2015 3 – 9
October 2015 0 – 8
November 2015 0 – 13
December 2015 1 – 8
January 2016 0 – 6
February 2016 2 – 11
March 2016 0 – 8
April 2016 0 – 13
May 2016 0 – 6
June 2016 0 – 13

That totals out at somewhere between 8 and 100 patches. Admittedly, this is like guessing lottery numbers, but I’m still confident that we’ll stay close to the ranges I’ve listed. Time will tell if my patch forecast is completely off or hit the target right on the spot. I’m keeping my fingers crossed.

Organization structure

A project manager’s powers strongly depend on an organization’s structure. There are

  • functional organizations – structured by departments and grouping a company’s functions like “controlling” or “accounting”, “sales” etc.; function managers manage headcount under their hierarchical supervision; project managers depend on the functional managers to release resources for participation in a project
  • matrix organizations – project managers and functional managers share their powers
  • project-ized organizations – project-based organization which is created for a project and dissolved as soon as the project is completed
  • project based organizations (PBO for short) – organizational structure only put into place for a project, “short-cutting” any other existing functional or project structure within the organization

Functional organizations

A major drawback of functional organizations becomes visible when a project needs to involve multiple functions: usually, such projects are split up – the first department does it’s work, then hands the result over to the next department which starts own project to continue the overall work. Obviously, communication breakdowns and information loss at those interfaces are to be expected.

Additionally, project resources are bound to be more loyal to their functional manager than towards the project manager, because the function managers pays them and is responsible for their yearly performance rating. On the other hand, a clear advantage in this structure is that in general people only need to deal with one supervisor – their functional manager.

Project-ized organizations

Such organizations can be identified by the following factors:

  • Project managers have the ultimate authority over projects
  • Organization is project-focused and -driven, therefore its resources are focused on projects as well
  • Team members are co-located
  • There is no functional-manager loyalty like in a functional organization – loyalties are established towards the project manager
  • Project teams are dissolved after a project’s conclusion

Matrix organization

Whereas the project-ized organization can probably be seen as the “opposite” of a functional organization structure, the matrix organization is kind of in between. There are functions as well as project hierarchies in a matrix organization – the functional manager and project manager share their powers to manage daily business and projects alongside.

There is a strong, a weak and a balanced form of a matrix organization. In the strong form, the power balance between the functional and project manager tips towards the project manager; in the weak form, the functional manager gains the upper hand.

Only the balanced matrix organization fairly balances powers between the functional and project manager.

Project Management Office (PMO)

A project management office (PMO for short) is a central function or department in an organization, responsible for establishing and maintaining a framework for organizational project management (OPM for short). The project management office is focused on assuring projects, programs and portfolios are managed in a consistent manner and that they work towards the company’s goals.

In general, PMI’s PMBOK Guide identifies the key purpose of a PMO as supporting project managers, which can take very different forms – depending on how the PMO is actually run.

Management styles of a PMO

A PMO may be supportive only, with a low level of control in the organization, offering training, templates and forms. On the other hand, a PMO may be controlling with a moderate level of control, ensuring compliance with a company-wide project management standard and making sure project managers adhere to that standard methodology. Last but not least, a PMO may be directive, in which case it holds a high level of control and actually controls and manages projects.

Commonly offered PMO services

In practice, it’s very common to have at least the following services offered by a PMO:

  • Provide a company-specific methodology for project management, supported by standard templates and forms and defined processes
  • Coach and train project managers in project management
  • Strengthen and facilitate know-how transfer and communication across all ongoing projects
  • Manage project resources
  • Archive project documentation
  • Review project success and adherence to company’s project management standard