1 of 1 people found this helpful
Joe, both Hotfixes and Patch Analysis run the same command under covers BLPatchCheck2.exe to perform analysis (set target agent to debug, you will see exactly what we run).
For Hotfixes - the metadata file (hf7b.xml or cab) is taken from <fileserver>/templates folder
For PAJ - the metadata file is taken from <fileserver>/patch/catalog/catalog_xxx folder
So if metada files are different, then expect inconsistent results
For Hotfixes scan only Security Patches are reported (whatever is installed or effectivelyinstalled)
For PAJ scan, you have an option to report non-security patches and security tools as missing. But once you install these, they are not shown in Hotfixes - remember in Hotfixes we only show security patches.
Also, here are the guides that can help you determine why is something reported as missing or installed when you expect an opposite answer:
KA325243 - BBSA Windows Patch Troubleshooting: Analysis Job Results conflict with 3rd-party Vendors
KA363243 - BBSA Windows Patch Troubleshooting: Analysis Job reports an unexpected patch as Missing
KA366513 - BBSA Windows Patch Troubleshooting: Analysis Job does not report Missing expected patch
KA366485 - BBSA Windows Patch Troubleshooting: How to analyze Trace.txt generated by Analysis Job
Thank you Lazar. If I create a Windows Patch Catalog with all filters included, and only scanned for Security patches, I would expect it to match the output of the Hotfixes list. Is that correct?
Yes, I would expect to see no one patch that reports missing in PAJ and reports installed in Hotfixes. In other words, the list in PAJ and Hotfixes should not have any identical patches.
Also make sure that the metadata is up to date in both cases. To ensure you use latest metadata for Hotfixes, go to Configuration / Patch Global Configuration / Shavlik URL Configuration / HFNetchk6b of HF7b (whatever is there), and click download. As long as the metadata files are the same (remember from the initial post that the metadata is retrieved from two different places) the results should be consistent.
Thank you Lazar. The results here are very different, and the hf7b files are different in all 3 places. I will try to figure out why that is.
sure.. yes, you should expect the results to be completely different (paj reports Missing, hotfixes reports Installed).
about different hf7b....
For Catalog, it would be updated when you run the Catalog, so it should be dated no newer than the last Catalog run.
For Hotfixes, it's supposed to check for new hf7b every time you run Hotfixes, but I know there was a bug, so that's why I asked to manually download from global patch config menu - that will update the file in <fileserver>/templates.
So if you update that file via 'download' button, and also run your Catalog Job right now, then technically you will have identical files.... hope this is clear.
Here is a brand new 8.2 SP2 installation comparing Hotfixes vs a Patch Analysis with all filters chosen.
Patch Analysis Job scanning Security Patches only:
Result of Patch Analysis Job:
Interestingly, I see a Service Pack listed here, but not on the Hotfixes. The hf7b.cab files are exactly the same in the File Server storage.
This is what I am seeing at my customer location as well. I can't remember if a Service Pack was missing there.
Service Packs do not appear in the Hotfixes view regardless of their state.
They would only appear in PAJ when they are missing, and you do not filter SPs from Analysis results (it's in Analysis Job options)
Hotfixes shows you what's installed. PAJ shows you what's missing.
Did you mean disparity between PAJ and Windows Live Update? In that case Win Live Update probably shows you missing patches which would essentially be installed by the SP that's showing missing in the PAJ results. Once you install SP, then run another PAJ and Win Live Update, then results should be closer. If they are not close, then start with first guide mentioned in the first post.
I'm confused. I thought Hotfixes was a mix of installed and needed patches. If you look at a list of Hotfixes, you will see a green checkmark if the patch is installed, and the Status will state Installed.
So the disparity I'm seeing is the following:
- Hotfixes lists ~30 required patches, none currently installed
- PAJ lists 4 patches required and Service Pack 1
- Windows Update shows 86 required patches
Joe, Hotfixes lists what's already Installed.
If you are questioning disparity between PAJ missing patch list and Win LU missing patch list, then you need to dive into details... there is no one rule to tell why the results are different. I go into details on how to analyze, explain or trouebslhoot this in the guides mentioned above. start with the first one, and it will lead you where needed. KA325243 - BBSA Windows Patch Troubleshooting: Analysis Job Results conflict with 3rd-party Vendors
Lazar is perfectly right..
I guess this is where I'm getting confused. This is a new server. There are only 2 updates installed. I thought that when Hotfixes listed a patch that was installed it would put a green checkmark to the left and the Status field would say Installed.
In my situation I'm seeing 31 Hotfixes in BSA, with only 2 installed updates listed on the server.