The excepted text below was taken from Chapter 8 of Creating the Secured Managed Desktop: Using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and Other Management Tools, written by Jeremy Moskowitz and contributed to by Greg Shields. Get your copy on Amazon here, or from Jeremy's web site here.

Before we get into the down-and-dirty details of WSUS, we should first take a step back and look at the cast of characters that currently makes up Microsoft's patch-management products. You'll also find that depending on the size and complexity of your environment, options other than WSUS may be preferable. For extremely small environments, WSUS may not even be necessary component. That's because running a WSUS instance will require a server, which can be a premium in very small environments. For larger environments, other tools like System Center Essentials or System Center Configuration Manager may be needed to provide the level of configuration control you need. Let's take a look at each of these tools with an eye toward which one will work best for you:

WU and MU (Windows Update and Microsoft Update)
These two tools, which are often (though incorrectly) used interchangeably, actually describe two different tools used by Microsoft for the distribution of patches to client workstations. Traditionally, Windows Update is and was used for the distribution of patches specific to the Windows operating system. For Windows XP systems and earlier versions, Microsoft Update was an add-on functionality that added support for patching other Microsoft products like Office, SQL, Exchange, and others. With these operating systems, each individual client would go to http://update.microsoft.com to connect to the system and install needed patches.

With Windows Vista, the necessary components are available natively in the OS for connectivity to Microsoft Update. With Vista and Windows Server 2008, clients need only navigate to Start | All Programs | Windows Update to bring forward the Windows Update Control Panel where the same scanning and patch-deployment actions are now completed.

The major benefit of WU and MU is that any administrative user can connect to Microsoft and download patches as necessary to keep their system safe. But relying on individual users to "do the right thing" could be detrimental to your health (or at least the health of the business). MU and WU make available some patches that corporate IT may not want deployed to systems. More than anything, allowing individual systems to download patches independently and over the Internet negatively impacts bandwidth.

Check back tomorrow for more in the Windows Update "cast of characters"...