"It was a complete nightmare for us, a lot of manual work," Selmi recalled.

Today, Advanced Behavioral Health's all-Windows shop now supports 200 local PCs at its headquarters and another 150 remote users that dial into the network using a VPN. But patching is no longer problematic, even with the window between a bulletin's release and exploit's circulation narrowing.

In 2004, and after months of serious comparison shopping, Selmi settled on a patch and vulnerability management service from Scottsdale, Arizona-based Patchlink Corp. that has eliminated much of the manual labor. But the patch landscape for many others remains riddled with land mines, and some enterprises are rushing to seal holes with unofficial patches or before properly testing sanctioned ones.

Proving that point, Patchlink on Monday released the results of a new customer survey that asked more than 250 CIOs, CSOs, IT managers and network administrators about their patch management practices. The results are based on information gathered during the company's 360 Security Conference in Tempe, Arizona, in February.

Among the results:

• A majority (55%) believe software vendors should issue patches out of cycle when exploits are in the wild, with another 44% suggesting out-of-synch updates first be thoroughly tested.
• Most companies roll out all newly available patches within five days (22%) or within one week to two months (28%). Only 8% roll out a new patch within 72 hours. However, when it's a critical patch, 40% will apply it immediately, while 24% will deploy a fix within 2 to 5 days. Another 16% will do so within two months, and the remaining 18% have no set timeframe.
• Because Patchlink tests all patches prior to releasing them to customers, it's not too surprising that a quarter of respondents spent less than an hour testing patches on their own. About the same number tested for one to five hours, while less than 5% took five to 10 hours. Twenty percent took a day, while almost 23% took longer.