Blog Post

SQL Server Blog

3 MIN READ

Announcing GA of enhanced patching for SQL Server on Azure VM with Azure Update Manager

Microsoft

Apr 16, 2024

We are pleased to announce the GA release of enhanced patching capabilities for SQL Server on Azure VMs using Azure Update Manager. When you register your SQL Server on Azure VM with the SQL IaaS Agent extension, you unlock a number of feature benefits, including patch management at scale with Azure Update Manager.

Overview

Azure Update Manager is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on other cloud platforms from a single dashboard. By enabling Azure Update Manager, customers will now be able to:

Perform one-time updates (or Patch on-demand): Schedule manual updates on demand
Update management at scale: patch multiple VMs at the same time
Configure schedules: configure robust schedules to patch groups of VMs based on your business needs
Periodic Assessments: Automatically check for new updates every 24 hours and identify machines that may be out of compliance

Azure Update Manager has more categories to include for updates, including the ability to automatically install SQL Server Cumulative Updates (CUs), unlike the existing Automated Patching feature which can only install updates marked Critical or Important.

To get started using Azure Update Manager go to the SQL virtual machine resource in the Azure portal, choose Updates under Settings.

To allow your SQL VM to get SQL Server updates, customers will need to enable Microsoft Updates.

Migrate from Automated Patching to Azure Update Manager

If you are currently using the Automated Patching feature offered by the SQL Server IaaS agent extension, and want to migrate to Azure Update Manager, you can do so by using the MigrateSQLVMPatchingSchedule PowerShell module to perform following steps:

Disable Automated Patching
Enable Microsoft Update on the virtual machine
Create a new maintenance configuration in Azure Update Manager with a similar schedule to Automated Patching
Assign the virtual machine to the maintenance configuration

To migrate to Azure Update Manager by using PowerShell, use the following sample script:

$rgname = 'YourResourceGroup' 
$vmname = 'YourVM' 

# Install latest migration module 
Install-Module -Name MigrateSQLVMPatchingSchedule-Module -Force -AllowClobber  

# Import the module 
Import-Module MigrateSQLVMPatchingSchedule-Module 
Convert-SQLVMPatchingSchedule -ResourceGroupName $rgname -VmName $vmname

The output of the script includes details about the old schedule in Automated Patching and details about the new schedule in Azure Update Manager. For example, if the Automated Patching schedule was every Friday, with a start hour of 2am, and a duration of 150 minutes, the output from the script is:

Additional Considerations

If you are currently using the SQL IaaS extension to patch, then be aware of conflicting schedules or consider disabling Automated Patching and migrating to Azure Update Manager to take advantage of the robust features.

At this point, patching SQL Server on Azure VMs through Azure Update Manager or Automated Patching via the SQL IaaS extension is not aware if the SQL Server is a part of an Always On availability group. It is important to keep this in mind when scheduling your updates with an automated process.

You can always go back to Automated Patching by selecting Leave new experience from the new Updates page.

Learn More

About Azure Update Manager
Review the following article about how to check and install on-demand updates
Schedule patching configuration on Azure VMs
Managing update configuration settings in Azure Update Manager
Azure Update Manager for SQL Server on Azure VMs

Updated Apr 08, 2024

Version 1.0

sqlserverazurevm

TarynPratt

Microsoft

Joined May 02, 2022

View Profile

SQL Server Blog

Follow this blog board to get notified when there's new activity

Karl-WE
MVP
Apr 16, 2024
That's wonderful news TarynPratt. Thank you for bringing this to GA for Azure and Hybrid customers. It's a great addition to Azure Update Manager and I appreciate much that it enables customers to do instance based patching of SQL Servers.

May we expect that the feature is available for SQL on-premises through Arc especially when running on Azure Stack HCI when SQL is covered by SA?

A common drawback we experienced during the preview is, that there was no way to prevent regular maintenance plans to exclude AUM from patching (critical) SQL updates.

What would be the best way to patch the OS via a maintenance plan without SQL patches. Putting all KBs into the exclusion list every month doesn't seem feasible for customers.

The goal is to use only this AUM extension for an orchestrated SQL patching, and AUM maintenance plans only for OS updates.

Is this something that has been discussed at your end, or did other customers raised similar feedback?

Would be glad to learn about possible solutions for this scenario, if possible.
SivertSolem
Iron Contributor
Apr 17, 2024
TarynPratt wrote:
At this point, patching SQL Server on Azure VMs through Azure Update Manager or Automated Patching via the SQL IaaS extension is not aware if the SQL Server is a part of an Always On availability group. It is important to keep this in mind when scheduling your updates with an automated process.
Are there any good documented solutions for automated patching of SQL Server with Always On availability groups?
Preferably agnostic to the virtualization layer.
skusen
Copper Contributor
Apr 22, 2024
SivertSolem I built out a bunch of automation around this using functions from dbatools. As far as automatic like this, I don't know of anything that exists.
mbourgon_optum
Copper Contributor
Apr 23, 2024
Yeah, double+ agree on the whole "without AG awareness, both are pretty useless". Sounds amazing, but practically I can't use it. Dammit.
TarynPratt
Microsoft
Apr 16, 2024
Karl-WE Azure Update Manager has many different classifications that can be included in a maintenance configuration. SQL Server CUs fall in the category of "Updates". If you want to exclude CUs from your OS maintenance configuration, then you would exclude this classification category. Azure Update Manager - SQL Server on Azure VMs | Microsoft Learn
TarynPratt
Microsoft
Apr 30, 2024
Karl-WE I appreciate the feedback on this and thanks for reporting what you are seeing. My suggestion would be to open a support request for the issue as they should be able to help and then raise it with the proper team.
Karl-WE
MVP
Apr 16, 2024
Thank you for this very valueable hint TarynPratt . Do understand that "updates" category in the catalog will not usually include Windows OS LCU or other imporant product updates?
And if the CU of SQL is security related, will this SQL CU be "promoted" to security updates?
Karl-WE
MVP
Apr 30, 2024
TarynPratt I have checked it and there is no good way to exclude SQL updates in a maintenance plan. Except one really checks the pending update list in AUM and exclude SQL CU or GDR Update IDs.

As I assumed SQL updates will be mostly in security updates or updates category. Unselecting the whole update category doesn't fit the purpose.

Unfortunately there is a second issue with the new instance based SQL patching.

Enabling it will alter the the WU policy settings (download and install at the time set in SQL patching) in registry and lead to default reboot behaviour of WU after applying patches. The SQL patching has no logical link to the maintenance plan reboot policy, which would be feasible.

It will even override a GPO which intend is to ensure that WU settings are compliant with the defaults as AUM docs suggest (download only, include other Microsoft products).

Disabling the SQL patching feature will entirely delete the registry key in policies Windows Update.

Does anyone experience the same? This is reproducible on Arc Enabled Windows Server 2022 running on-premises.
Karl-WE
MVP
Apr 30, 2024
You're welcome. Will do TarynPratt.