The issue of whether and how to update Windows can be a complicated and surprisingly controversial one. I have worked for many companies of varying sizes where the issue of Windows updates is either ignored completely or only comes to light to fix an issue after it has happened. The mentality of this often stems from IT departments having bad experiences from installing Windows Updates the past, not having the resources or thinking they have enough security with other devices in place. In this article I discuss the pros and cons of installing the updates, the options available to you for installing them, and also my personal opinions on the subject of Windows updates as well as Citrix and other updates available. 
 
Arguments for Windows Updates
1.) A lot of the updates from Microsoft are “Critical”. They are not enhancements to the operating system, they are issued because a vulnerability in the operating system has been identified, Microsoft have rectified this and made it available as a free download to the end user. Microsoft’s definition of a critical update is as follows:
“A vulnerability whose exploitation could allow the propagation of an Internet worm/virus without user action”
2.) You never know how important the next update is. If you were to build a PC or server and connect directly to the internet with no updates, service packs or firewalls on then within an hour your PC would be unusable. Who’s to say that the update you didn’t feel like doing last month isn’t going to be the one that causes the problems in your company?
3.) Your job could depend on it. If you come in one day, all your servers have crashed and you have done everything possible to prevent this then you cannot realistically be held responsible. If the issue would not have happened if you had applied an update that had been freely available for 2 months because you had a “If it ain’t broke don’t fix it” attitude it’s a different matter.
4.) Its easy to configure - Microsoft have made it so the updates can be set to update automatically every night so little user intervention or man hours are required. You can apply updates on an individual basis, using Active Directory group policy, Microsofts free update services SUS or WSUS (discussed below) or by purchasing third party software such as SMS or Altiris. Using a lot of these options, once setup means little user intervention or man hours.

Arguments Against Windows Updates
1.) The Windows updates themselves have been known to cause problems - You may find that everything is fine for weeks and then all of a sudden something doesn’t work across the servers that were updated the night before.
2.) If they are to be done manually and regularly it can take up a lot of time and resources - If you feel safer doing them this way so you know exactly what’s going on it could soon turn into a full time job with almost daily updates.
3.) If it’s done automatically you are largely unaware of what’s going on to your servers - If you have just updated Internet Explorer yourself and Internet Explorer stops working it’s fairly obvious that the update is the issue. If you haven’t looked at the server for 6 months and Internet Explorer isn’t working it would take longer to diagnose the issue.
4.) We have enough security already - In most companies there are a lot of other layers of security that don’t require touching the operating system and potentially causing problems such as firewalls, security policies, etc. These other layers will usually stop most hackers, viruses etc rendering a lot of the updates unnecessary (but not all.)

My Recommendations
I would always recommend installing the Windows Critical updates on a regular basis. I would however also recommend thorough testing before deploying any of the updates. How you deploy the updates is of course up to you. Below is a few of the options you can use to automate and install the automatic updates:
Third Party Software – Third party deployment software such as Altiris or Microsofts SMS (System Management Server) can be used to send the updates out across your organisation. If you already have the software then this is a good option but it can be expensive and I would not recommend buying this purely for deploying Windows Updates.
Microsofts SUS or WSUS - (My preference.) These are free patch management software applications available from Microsoft specifically for keeping your servers/PCs updated. WSUS is the newest version and SUS will no longer be supported after November this year (2006). You will need a 2000/2003 server running IIS and IE6 or above to run this and there are other limitations such as you cannot patch Windows NT 4.0 machines. However it does give you the opportunity to deploy more than just the Windows updates offering other options such as Microsoft Office, Exchange and SQL updates. You use this in conjunction with Group Policy to specify the location of the WSUS server.
Set to Automatically Download and Install – Within the control panel of Windows 2000 or XP you have the option to automatically download and install, download and notify or to not do either. If you are in a relatively small environment you can automatically set to download and install across a few servers over several days. This is of course a risk as you will not have been able to test any of the updates first and they will be going straight onto live servers but if resources and time are an issue you may sometimes find yourself with little choice.
Manual Downloads – This is certainly the most time consuming way when you simply download the updates when you feel like it. It gives you total flexibility in the fact that they are installed at times convenient to you and only the updates which you want are installed. The downside is most people using this method always find something more important to do and it can be weeks or months before they actually get round to it.

What About Other Updates?
I do give the Windows Critical Updates priority above everything else (apart from Anti Virus updates) but there are of course many other updates out there. The Microsoft Office Updates are not part of the Automatic Windows Update options which is why I favour using Microsoft’s WSUS for deployment. There are security issues addressed within these updates so I would recommend these are done as well.
Citrix updates however are usually fixes or enhancements to the Citrix software. (It should also be noted that they don’t always work and sometimes they have to release fixes to fix the fixes!)
If you require one of these “extras” or need the fix then it makes sense to install the patch (after testing of course) otherwise, my personal opinion is not to bother generally. Having said that Citrix do offer a rollup of all important updates every now and again and I do normally install these when they come out (As normal after  testing first.)  
It should also be noted that Citrix don’t currently offer any automatic update installation software although they are supposedly working on one.