Every month, like clockwork, Microsoft releases security bulletins and every month people ask me if it’s small or a big release. While the exact details of the patches are generally treated as news, the expected workload each month really shouldn’t be a guessing game because Microsoft’s patch releases are predictably cyclical.
I don’t have any special inside knowledge, and I can’t speak for Microsoft, but when I look at the publicly available information it’s pretty clear to me how the cycle works.
60 Day QA Cycle
A 30 to 60 day QA cycle on a Microsoft patch is typical, and it’s actually pretty easy to tell how many days a patch was probably in QA. If you are curious, download the patch manually and take a look at the date the file was digitally signed. This isn’t an absolutely accurate date because a patch could drop in and out of the QA process several times, but it’s a reasonable approximation.
Using this method I calculated the average dates for the Dec 2009 patches at 54 days, November 2009 patches at 36 days, and October 2009 at 45 days. It’s not too hard to jump from those numbers to an average 60 day cycle.




