What discrepancies are you referring to here ? Typically we have found that WSUS and WindowsUpdate do not do as intensive checks to see if a patch is installed on a system. for example they check the registry to see if the patch is installed, where as Shavlik checks the specific dll versions mentioned in the Microsoft Bulletin article. There will always be discrepancies between different analysis tools and we have found that Shavlik's analysis is the most accurate.
Have you run into a case w/ Microsoft where they have told you they will not support the OS because you have used a 3rd party tool to determine what patches apply to the OS ? as there are many 3rd party patching tools available i highly doubt this is a common occurrence, if one at all,
I agree with Bill. WSUS patching is quite flawed. There are numerous reasons to move away from WSUS/SCCM based windows patching and to BSA (using shavlik).
- the shavlik data is more literal, tied directly to the bulletin details (and patch meta data)
- BSA Patch Analysis feature is a huge differentiation as it allows BSA to pre-screen server patching needs as well as post validate patch compliance. Analysis for WSUS and SCCM is done after creating a patch bundle package of patches, regardless fo whether a server needs them or not, then is evaluated through group policy interaction with the server during run time of the patch. A patch analysis, remediation payload definition, and scope of execution should never be done during execution phase. This introduces a ton of risk
- BSA App Server dictates execution. often windows servers could receive full instructions and payload from Group Policy by way of an SCCM Advertisement (this Deploy Job). that same server could go offline or the SCCM app servers could crash and the server can still independently execute the patch payload. (this is the age old push vs pull approach). This works well for workstations as they are often offline, in a desk or bag, on VPN, etc., It is a terrible idea for Servers.
- It can also be canceled in real-time (as close to real time as one could ever hope for)
To recap. The risk of moving to BSA is much less than staying with WSUS for windows server patching.
the only objection that is reasonable is that Shavlik patch availability is slightly delayed from when Microsoft releases patches by Patch Tuesday afternoon. But the benefits of the switch to BSA far outweigh a potential delay