ISV support of patches

Yesterday during a discussion I was having with some customers in Taiwan another chat I had with an MVP a month or so ago came back to mind. The question asked was about Independent Software Vendor (ISV, i.e. "not Microsoft") support of Microsoft patches for the OS. Specifically, how long is it reasonable to take an ISV to fully support their product on an OS patched with a particular patch, or rather, update, or a particular service pack?

My response (not the official Microsoft response mind you, but I do not know that there is one) was that as for service packs, the reasonable time frame is "immediately." The fact is that service packs undergo massive beta programs. Every ISV is invited to participate in those beta programs. They can therefore test their products on the service pack at the same time we test the service pack; report bugs to us, and hopefully have a chance to get those bugs fixed before the service pack releases. In other words, I believe there is absolutely no excuse for ISVs to claim that their product is not tested on a particular service pack.

Software updates are different. For updates there is no beta program. ISVs do not get a chance to test the update before it is released. It is reasonable to give them some time to test them before supporting them. The exact time frame should be dependent on the severity of the update, the nature of the systems that should be running the software, and the type of data the ISV processes. For a critical update for a server that needs to process critically important data, such as PII, financial data, etc, 24 hours to 5 days is probably reasonable, depending on the complexity of the update and the ISVs software. For lower severity updates it may take longer.

The discussion got started when the customer found an ISV that specifically would not support any updates since MS04-012, which was released in April 2004. If you want a system updated in the past 18 months apparently you would either have to run an unsupported configuration, or get rid of this software and buy from another vendor.

This is critically important. You have to protect your information assets. You, therefore, have to decide how important they are. If a vendor will not meet your risk management goals, you need to consider a different vendor. It is unfortunate, but that is the only way to protect your network and your information.

Do you agree? Let me know if you have a different way to think of this.