It seems the operating system patches take the brunt of the blame when it comes to problematic behavior. It used to be a common occurrence to have multiple days of Windows patches or a never-ending stream of Linux updates. Thankfully, most of the operating system folks have learned that having a regular schedule works well. Patch Tuesday means something to most folks. I don't think the OSes are totally to blame though.
Even as I sat down to write this post, my desktop started chirping that it was time to install updates to many of my applications. You might know some of the names: Reader, Air, and Flash for starters. Even the above mentioned Java is a frequent offender of relentless updating. With a version number like "1.7.0_40-b43", you begin to realize that there are tons of builds. Those are just the ones we see.
Every time an application vendor finds an issue with software, they issue a small patch. Point releases, engineering specials, or incrementing builds are not uncommon. I can remember installing an application and then calling support only to be told that they don't support version 5.1 ES48 any longer. The very fact that their support department is issuing patches for problems outside the normal patching process should say something.
If you software program needs weekly updates to operate correctly, you've got a bigger problem to address. I understand that some programs, like Java, have such deep system level access that patching exploits quickly is crucial. But, issuing a patch every two or three days until you've plugged all the holes is a bad idea. It's an even worse idea when you destroy your application compatibility.
I can still remember DLL Hell in older versions of Windows. It's been replaced by Java Hell, where incompatible versions of JRE break other applications due to minor (or major) fixes to the way things are handled. Every patch or suggested upgrade gives people nightmares because of all the possible disaster that awaits when the CRM application breaks or the Java-based network appliance configurators stop responding.
What patch management needs to be successful is a way for administrators to manage third party patches along with the OS patches. If the majority of work being done on the system is via applications (and the services that support them), then patch management should have visibility into those processes. If not, your expectation won't be to look at Java when your critical applications come crashing down.
What do you think? Do you spend most of your time fighting 3rd party programs? Have you tried using a 3rd party patch manager? Do you want to throw Flash and Java out the windows due to the constant updating? Tell me all about it!