The ServiceNow Patching Program (SPP) updates customer instances to required patch versions throughout the year. With this program, instances get the latest security, performance, and functional fixes. Most importantly, patching remediates known security vulnerabilities and is an essential component of any patch management process.
ServiceNow Patching Program | FAQs
When will the Patching Program go into effect and replace the Quarterly Patching Program?
The Patching Program is currently in effect as of January 2019.
How is the Patching Program different from the former Quarterly Patching Program?
The Patching Program enhancements give you scheduling predictability with one full patch version each quarter and two incremental security patches each quarter. The previous Quarterly Patching Program patched instances to a full patch version once per quarter. We will schedule patches mainly over weekends to minimize disruption to your business.
How is the Patching Program scheduled?
Approximately 2 weeks before the start of the quarter, ServiceNow sends each customer a communication announcing the minimum patch version (also known as the patch target) for each supported release family and the time frames when ServiceNow will apply the patch and subsequent security patches. You always have the option to move to a higher patch version or to patch earlier.
In the first month of the quarter, ServiceNow patches all instances to the minimum patch version specified in the announcement. We will automatically schedule and update your instance(s) to that version.
In the second and third month of each quarter, ServiceNow will patch security vulnerabilities. In this case, we will automatically schedule your instance(s) to be moved to the security patch version. ServiceNow will create Changes approximately one week in advance for non-production instances, and three weeks in advance for production instances. Again, you have the option to move to a higher patch version or to patch earlier.
Security patches contain security fixes only and are built incrementally on the patch target versions. For example, if the patch target is Kingston Patch 6, and the security patch is Kingston Patch 6a, the difference between the two patch versions are the security fixes in Kingston Patch 6a. Generally, the number of fixes in the security patches will be less than five, but we reserve the right to add more fixes if required.
How many times will a customer patch each quarter?
ServiceNow will patch all customer instances to the required patch version within the first month of the quarter. We will automatically schedule these on your behalf. In the second and third months of the quarter, we will automatically schedule and update your instances to security patch versions. This equates to 3 applied patches, one full patch version, followed by two incremental security patches.
If ServiceNow determines there is no security patch required in the second and/or third months of the quarter, you will be notified in the previous month.
When will I be notified of the patching versions and schedule?
Midway through the final month of a quarter, you will be notified of the Patch Targets for the coming quarter and a CHG will be scheduled to patch your instances to the appropriate Patch Target for you family. If a security patch is required, you will be notified and a CHG will be created at least 10 days prior to your first scheduled patch.
For example, you should expect to see a communication and have your patch scheduled for January by mid-December. The February security patch should be scheduled during the final week in January.
Can I opt-out of the Patching Program?
All hosted customers are automatically enrolled in and scheduled for updates through the Patching Program. Participation is mandatory given our shared cloud environment.
What is contained in each patch? Am I testing a large number of fixes each month?
You can expect to test a full patch version in the first month of the quarter. This patch contains security, performance, and functional fixes. In the second and third months of the quarter, only incremental security fixes will be deployed.
The contents of each version (full patch or security patch) is described in the Release Notes on the Product Documentation site.
What is the Patching Program and how is it different from programs focused on upgrades?
Release Family upgrades provide enhanced or increased functionality by moving from one release family to another. The Unsupported Release Family (also known as End-Of-Life) Upgrades Program is an example of this.
The Patching Program updates instances to a target version within the same release family; these updates contain security, performance, and functional fixes.
Why was it necessary to modify the former Quarterly Patching Program?
Our customers expect us to keep their business secure. One component of that is to patch instances regularly and often to protect against known security vulnerabilities.
How will I receive notifications related to the Patching Program?
ServiceNow will be sending notifications to your support contacts, listed in HI, detailing the latest patch target and advising you to patch your instances as soon as possible. Update and maintain contacts listed in your company record to ensure that you receive important program-related notifications, and that they are sent to the appropriate contacts.
For more information on managing company contacts, see KB0547262: Managing company contacts on HI.
Can I have parent companies, subsidiaries, or partners added to the communication list for patching?
Yes. Any parent companies, subsidiaries, or partners can be added to the communication list on your company record in HI to receive patching notifications. Only the Customer Administrator can do this, see KB0547262: Managing company contacts on HI. For details, see KB0547557: How to add or remove company and partner notifications in HI.
What if I am on an unsupported release family – will I be part of the Patching Program?
The Patching Program does not schedule patches on unsupported release families. ServiceNow maintains product support for supported release families only. Instances that remain on unsupported release families are scheduled for upgrade in accordance with our Unsupported Release Family Upgrades Program. For more information please visit KB0610454: Unsupported Release Family (End-Of-Life) Upgrades FAQ and KB0598977: Patching & Upgrades Program - Definition of Unsupported Release.
Why is the patch target version lower than other available versions?
The patch target version is chosen prior to the quarter’s notification and is purposely kept at that version during the first month of the quarter so that customers have time to plan and test that patch. Furthermore, the security patches are planned so that they are incremental to the patch target versions.
As other full (non-security) patch versions are released, customers have the option to patch to them, potentially bypassing the security patches for that quarter.
What options does a customer have around when to patch?
Our multi-instance architecture allows customers to choose when to patch within the given month. At the same time, ServiceNow has the responsibility to keep all customers secure and functioning at a high level, so timeframes and version availability are strictly enforced.
Can I reschedule a patch?
After ServiceNow creates a Change record to patch your instance, that patch can be rescheduled within the allotted timeframe. This is done through the Manage Instance dashboard on HI. It is important to plan ahead and reschedule the patch as soon as possible to see the widest range of reservations available.
What happens if my scheduled patching is during a change freeze?
You can move your patching date within the allotted timeframe, provided a reservation is available.
I’m already in the middle of an upgrade – how will this affect me?
An existing upgrade project can be accommodated if the upgrade is to a supported release family and to the latest patch target.
How do I modify a ServiceNow patching change (CHG) to patch to a different version?
If there are open patching or upgrade CHGs on your instance, you may modify the Target Version on the existing CHG to a supported version. Access the CHG Record through the Manage Instance dashboard on HI.
Case 1: If you are modifying a CHG to execute in the next 2 hours:
- Adjust the Target Version first --> click Update button to save.
- Verify the desired version is listed, then adjust the Planned Start Date using the Reschedule Upgrade button --> click Select button to save for a second time.
Case 2: If you are modifying a CHG that is already scheduled to execute in the next 2 hours:
- Push out the Planned Start Date a few days using the Reschedule Upgrade button --> click Select button to save.
- Adjust the Target Version --> click Update button to save for a second time.
- Then pull the Planned Start Date back in using the Reschedule Upgrade button --> click Select button to save for a third time.
Note: if there are no existing patching or upgrade CHGs on your instance, you may schedule your own upgrade.
What if our organization does not have enough time to perform full regression testing with each patch version?
Patching involves shorter hops between versions within a family and are intended to be non-impactful. Security patches should require minimal testing since they contain a small number of very specific fixes. The Product Documentation site contains detailed information about the contents of each patch. For best practices related to patching and upgrades, see Upgrade your instance (New York).
What else can I do to prepare for patching?
If you are self-scheduling your patching, patch and test your non-production instances ahead of your production instances.
Where can I find information about the latest patch?
Release notes are available on the ServiceNow Product Documentation site.
Where can I find more information about the security patch content?
In order to protect our customers, we limit the information we make available regarding our security fixes. We do not advertise them publicly as that may risk them being exploited once people are made aware of them. All available security patching information can be found in the release notes on the ServiceNow Product Documentation site.
What patch versions will security patches be created for?
Security Patches will only be created for supported release families. Prior to the start of each quarter, we will announce a "Patch Target" for each supported release family. In the event that a security patch is determined to be necessary, it will be added to these Patch Targets and deployed to customers in months 2 and 3 of the quarter.
Why does the security patch target have a fix that is not contained within a higher patch version? Am I still compliant on the higher patch version?
Based on release timing, there are times when a security fix is identified after the next full patch version is released (e.g. London Patch 6a may have a security fix that is not included in London Patch 7). The higher patch target is still compliant with our Patching Program and provides the latest performance/functional fixes at the time of release; however, if it happens to miss the security fixes from an earlier version based on timing, it will be included in the next full patch target and we will patch these customers the following quarter for the next round of patching.
The Patching Program is designed to patch the majority of customers to our monthly targets, so we build security patches on top of the full patch target from Month 1 of the quarter since that's where the majority of customers will be.
How come I cannot patch from the latest security patch target to the next highest patch version?
In some cases, customers with instances on the latest security patch target may not be able to patch to a higher version (e.g. patching from Madrid Patch 4a to Madrid Patch 5). This is due to release timing - see explanation in the question above.
In this case, customers will not be able to see the higher patch as an available version in the HI Service Portal. Instead, they can wait for the next higher patch to release (e.g. Madrid Patch 6) or wait to be scheduled by the next round of the Patching Program.
Where can I find additional information about what is included in a patch and specific guidance on where to focus our testing?
Refer to our Product Documentation site and refer to the Release Notes for each patch for information on included fixes.
What happens if a patch does not execute properly?
If a patch does not execute correctly by the end of the Change (CHG) window, our monitoring will catch the issue. ServiceNow Customer Support will create a case on your behalf and begin the troubleshooting process.
We encourage you to monitor the progress of your patch and, if there is an issue with the patching or an issue with your instance after the patching process, please contact ServiceNow Customer Support.
Will the patch cause an outage or service disruption?
No. Your instance remains online during patching. Some performance impact may be observed, but there should be little to no impact after a patch has been applied. In the unlikely event of an outage or service disruption, please contact ServiceNow Customer Support.
How do I monitor the progress of my upgrade?
While a patch or upgrade is in progress the Upgrade Progress shows what the upgrade process has done, what it is doing, and what remains to be done.
Will patches contain added functionality?
As a policy, ServiceNow does not allow new capabilities or functionality in patches. Capabilities and functionality changes are reserved for new family releases. We have done this to give our customers confidence in our patches being non-disruptive to their business.
During the patching process, who is responsible if a patch breaks business functionality?
ServiceNow is responsible for base functionality being patched without issues. We are not responsible for customization. That said, we do extend support and help where we can on customizations, so please contact ServiceNow Customer Support. In addition, the ServiceNow Community is a fantastic resource to get quick answers on customizations.
What if I am a customer with on-premise instances?
For customers with an on-premise instance, ServiceNow will be sending notifications to your support contacts, listed in HI, detailing the latest patch target and advising you to patch your instances as soon as possible. Update and maintain contacts listed in your company record to ensure that you receive important program-related notifications and that they are sent to the appropriate contacts.
For more information on managing company contacts, see KB0547262: Managing company contacts on HI.
Release Family: A complete solution including new capabilities that customers can implement to add value to their organization. The release family also incorporates available fixes to existing functionality.
Patch: Supports existing functionality within the release family with a collection of problem fixes and generally does not include new features.
Security Patch: Supports existing functionality within the release family with specific security fixes. These fixes are incrementally added to the patch version. For example, Kingston Patch 6a is a security patch that contains security fixes added to Kingston Patch 6. Similarly, Kingston Patch 6b contains the fixes in Kingston Patch 6a plus the new ones in Kingston Patch 6b. There are usually less than five fixes per security patch, but we reserve the right to include more fixes as required.
Hot Fix: Supports existing functionality within the release family with a targeted, specific problem fix. It may or may not include any previous fixes within the release family. It does not include new capabilities. For example, Kingston Patch 1 Hotfix 2 is part of the Kingston family.
Version: The specific level within each release family, e.g. Kingston Patch 5 is a patch version of Kingston. Patch versions are cumulative within a release family, i.e. Kingston Patch 5 contains all of the fixes in Kingston Patch 4 plus the additional fixes in Kingston Patch 5.
Target: The minimum version required to be installed for each supported release family.
Upgrades: Moving a customer's instance from one release family to another. For example, moving from Jakarta to Kingston.
Patching (also known as Updates): Moving from one patch level to another within a release family. For example, moving from Kingston Patch 2 to Kingston Patch 4.
For questions related to the Patching Program, please submit via your CHG record in HI or reach out to your Account Manager.