"Something has to happen," says Rambus. "There's going to be a backlash if it doesn't improve. I'd suggest that this patching problem is the responsibility of the vendors, and the costs are being taken on by the customers."

There's good news and bad news for Rambus. The good news is that vendors are motivated to try and fix the patch process. And they're earnest--one might say even religious--about their competing approaches. And the fervent search for a cure has intensified markedly since Slammer.

The bad news is that it's not clear either approach will work. And even if one does, none of what's happening changes the economics of patching. Customers still pay.

More or Less

There are two emerging and opposite patch philosophies: Either patch more, or patch less.

Vendors in the Patch More school have, almost overnight, created an entirely new class of software called patch management software. The term means different things to different people (already one vendor has concocted a spin-off, "virtual patch management"), but in general, PM automates the process of finding, downloading and applying patches. Patch More adherents believe patching isn't the problem, but that manual patching is. Perfunctory checks for updates and automated deployment, checks for conflicts, roll back capabilities (in case there is a conflict) will, under the Patch More school of thought, fix patching. PM software can keep machines as up-to-date as possible without the possibility of human error.