Virtualization.info posted an article, ‘Patch Tuesday for VMWare’ on the analysis they did on VMWare patch release data. Obviously the hosted OS’s aren’t the only things which need to be patched. Here part of the analysis the authers released:

“ESX 3.0.1: 68! Sixty-Eight patches in the course of about a year. Of course they were released in about 11 groups, at an average of about 7 patches per release date (per the VMware website).

Of those 68 patches; 17 were considered Critical patches (an average of 1.4 per release), 21 were security related (average of 1.75 per release) and 30 General patches averaging 2.5 patches per release date. The other thing we noticed (besides the number of patches) was the frequency at which patches were released. Essentially the time between patches / release dates continues to shrink.”

The entire article is on the virtualization.info web site.

Comparing this to Windows Vista 32-bit (Gold Code), which has 23 patches since its release — only 19 patches if you don’t count the patches which have been replaced by more recent updates). Of those only 13 — or 9 depending on how you want to count — were critical; 8 are flagged as important; the last 2 are considered moderate or low. These Vista patch release numbers include patached released April 2007-January 2008.

In conclusion VMWare 3.0.1 had 68 patches in 12 months (December 2007 and the 12 months prior — December 2006); Windows Vista (Gold) has 23 patches since it’s RTM on November 8, 2006. In the 12 months in 2007 VMWare has patched ESX 3.0.1 well over twice as much as Windows Vista.

Source for Windows Vista patch data: Security Bulletin Search on Micsofot TechNet