Interesting question which I've had lengthy discussions about in numerous businesses: http://isc.sans.edu/diary.html?storyid=11527 Points of view: Security guy: patch early, patch often. It's better to have a 1 day per year outage from a bad patch than to ever have a compromised server or defaced site, especially when policy is to assume everything in the same subnet is also compromised and needs to be cleaned with fire and holy water. A compromised site also means risk to our reputation, which is worse than not meeting an SLA 1 day out of 365. Business guy / customer rep: patches risk unplanned outages, which means we risk not meeting SLA. Customer-facing SLAs are our bread and butter, and must not be messed with. They must be tested in non-prod environments like any other software rollout. Change approval committee: 1 week per SDLC environment, because we're ITIL. That means 5 weeks from patch release to production. We don't understand what you mean by "zero day threat". Sysadmin: whether it's hacked or breaks from bad patches, I get my arse kicked. And my arse is pretty sore already. Marketing: What's a patch? I ate my crayon.