When it comes to patch management, there's no one-size-fits-all approach to doing a job no one wants to do: update software for new features, or the more troubling task, fixing a security hole before a hacker or computer worm finds it.

By all accounts, patching software is a disruptive, time-consuming process requiring IT departments to test any new software patch before applying it, scheduling downtime for machines to apply the patch and ensuring it doesn't "break" applications. Patching for security purposes also means managers have to be on constant alert for news of any new holes found in vendor products. This thankless task monopolizes large chunks of IT staff time, in spite of a growing array of products and services that can track machines that need patches and automate patch downloads from vendor sites.

At any rate, many organizations say they don't need commercial patch-management products to do the job.

"We have our own system for this," says Anthony McBride, IT network security analyst at financial services firm Principal Financial Group in Des Moines, Iowa. "It's a homemade system with a database of the server and applications we use for Windows, Solaris and Linux and what's been patched. And we monitor a list of open sources, like BugTrak, for information."

Because there are so many patches released by vendors, Principal Financial Group evaluates each one according to a risk category to determine which need to be applied immediately and which can wait for the next quarterly scheduled software maintenance. "You have to weigh the risk, and get into a lab and test that patch," McBride says.

Commercial patch management products can either be stand-alone patch products like those from BigFix, PatchLink, St. Bernard Software and Shavlik Technologies, or the patch component of systems management products from ConfigureSoft, Ecora, IBM Tivoli and LANDesk Software.

In any event, the idea of deferring patching based on risk is a common practice, according to network executives. That's because the number of vendor patch releases is skyrocketing as the number of newly discovered vulnerabilities increases dramatically.

"The number of software vulnerabilities has doubled every year since 1999," says Casey Dunlevy, manager of the CERT Analysis Center at Carnegie-Mellon University, which tracks this data as part of its ongoing effort in issuing the closely watched CERT security alerts.