ServiceNow Patching Program FAQsIssue The ServiceNow Patching Program (SPP) updates customer instances to required patch versions throughout the year with the latest security, performance, and functional fixes. Most importantly, patching remediates known security vulnerabilities and is an essential component of any patch management process. FAQs When will the Patching Program go into effect and replace the Quarterly Patching Program? The Patching Program is currently in effect as of January 2019. How is the Patching Program different from the former Quarterly Patching Program? The Patching Program enhancements give you scheduling predictability with one full patch version each quarter and two incremental security patches each quarter. The previous Quarterly Patching Program patched instances to a full patch version once per quarter. We will schedule patches mainly over weekends to minimize disruption to your business. How is the Patching Program scheduled? Approximately 10 days before the start of the quarter, ServiceNow sends each customer a communication announcing the minimum patch version (also known as the patch target) for each supported release family and the time frames when ServiceNow will apply the patch and subsequent security patches. You always have the option to move to a higher patch version or to patch earlier.In the first month of the quarter, ServiceNow patches all instances to the minimum patch version specified in the announcement. We will automatically schedule and update your instance(s) to that version.In the second and third months of each quarter, ServiceNow will patch security vulnerabilities. In this case, we will automatically schedule your instance(s) to be moved to the security patch version. ServiceNow will create Changes approximately one week in advance for non-production instances, and three weeks in advance for production instances. Again, you have the option to move to a higher patch version or to patch earlier.Security patches contain security fixes only and are built incrementally on the patch target versions. For example, if the patch target is Tokyo Patch 6, and the security patch is Tokyo Patch 6a, the difference between the two patch versions are the security fixes in Tokyo Patch 6a. Generally, the number of fixes in the security patches will be less than five, but we reserve the right to add more fixes if required. If an instance is not on the minimum patch version for the patching month, ServiceNow will automatically schedule and update your instance(s) in an additional patching program for the current patching month. How many times will a customer patch each quarter? ServiceNow will patch all customer instances to the required patch version within the first month of the quarter. We will automatically schedule these on your behalf. In the second and third months of the quarter, we will automatically schedule and update your instances to security patch versions. This equates to 3 applied patches, one full patch version, followed by two incremental security patches.If ServiceNow determines there is no security patch required in the second and/or third months of the quarter, you will be notified in the previous month. When will I be notified of the patching versions and schedule? Midway through the final month of a quarter, you will be notified of the Patch Targets for the coming quarter and a CHG will be scheduled to patch your instances to the appropriate Patch Target for your family. If a security patch is required, you will be notified and a CHG will be created at least 10 days prior to your first scheduled patch.For example, you should expect to see a communication and have your patch scheduled for January by mid-December. The February security patch should be scheduled during the final week in January. If an instance is not on the minimum patch version for the patching month, you will be notified and a CHG will be created at least 5 days prior to your scheduled patch. Can I opt out of the Patching Program? All hosted customers are automatically enrolled in and scheduled for updates through the Patching Program. Participation is mandatory given our shared cloud environment. What is contained in each patch? Am I testing a large number of fixes each month? You can expect to test a full patch version in the first month of the quarter. This patch contains security, performance, and functional fixes. In the second and third months of the quarter, only incremental security fixes will be deployed.The contents of each version (full patch or security patch) are described in the Release Notes on the Product Documentation site. What is the Patching Program and how is it different from programs focused on upgrades? Release Family upgrades provide enhanced or increased functionality by moving from one release family to another. The Unsupported Release Family (also known as End-Of-Life) Upgrades Program is an example of this.The Patching Program updates instances to a target version within the same release family; these updates contain security, performance, and functional fixes. Why was it necessary to modify the former Quarterly Patching Program? Our customers expect us to keep their business secure. One component of that is to patch instances regularly and often to protect against known security vulnerabilities. How will I receive notifications related to the Patching Program? ServiceNow will be sending notifications to your support contacts, listed in Now Support (HI), detailing the latest patch target and advising you to patch your instances as soon as possible. Update and maintain contacts listed in your company record to ensure that you receive important program-related notifications and that they are sent to the appropriate contacts.For more information on managing company contacts, see KB0547262: Managing company contacts on Now Support. Can I have parent companies, subsidiaries, or partners added to the communication list for patching? Yes. Any parent companies, subsidiaries, or partners can be added to the communication list on your company record in Now Support (HI) to receive patching notifications.Only the Customer Administrator can do this, see KB0547262: Managing company contacts on Now Support. For details, see KB0547446: How to add or remove company and partner notifications in HI What if I am on an unsupported release family – will I be part of the Patching Program? The Patching Program does not schedule patches on unsupported release families. ServiceNow maintains product support for supported release families only. Instances that remain on unsupported release families are scheduled for upgrade in accordance with our Unsupported Release Family Upgrades Program.For more information please visit KB0610454: Unsupported Release Family (End-Of-Life) Upgrades FAQ and KB0598977: Patching & Upgrades Program - Definition of Unsupported Release. Why is the patch target version lower than other available versions? The patch target version is chosen prior to the quarter’s notification and is purposely kept at that version during the first month of the quarter so that customers have time to plan and test that patch. Furthermore, the security patches are planned so that they are incremental to the patch target versions.As other full (non-security) patch versions are released, customers have the option to patch to them, potentially bypassing the security patches for that quarter. What options does a customer have around when to patch? Our multi-instance architecture allows customers to choose when to patch within the given month. At the same time, ServiceNow has the responsibility to keep all customers secure and functioning at a high level, so timeframes and version availability are strictly enforced. Can I reschedule a patch? After ServiceNow creates a Change record to patch your instance, that patch can be rescheduled within the given month. Example: Patch scheduled in month of July, can be rescheduled till 31 July.This is done through the Manage Instance dashboard on Now Support (HI). It is important to plan ahead and reschedule the patch as soon as possible to see the widest range of reservations available. What happens if my scheduled patching is during a change freeze? You can move your patching date within the allotted timeframe, provided a reservation is available. I am already in the middle of an upgrade – how will this affect me? An existing upgrade project can be accommodated if the upgrade is to a supported release family and to the latest patch target. How do I modify a ServiceNow patching change (CHG) to patch to a different version? If there are open patching or upgrade CHGs on your instance, you may modify the Target Version on the existing CHG to a supported version. Access the CHG Record through the Manage Instance dashboard.Case 1: If you are modifying a CHG to execute in the next 2 hours: Adjust the Target Version firstClick Update to save.Verify the desired version is listed, then adjust the Planned Start Date using the Reschedule Upgrade buttonClick Select to save for a second time. Case 2: If you are modifying a CHG that is already scheduled to execute in the next 2 hours: Push out the Planned Start Date a few days using the Reschedule Upgrade buttonClick Select to save.Adjust the Target Version > click Update to save for a second time.Then pull the Planned Start Date back in using the Reschedule Upgrade buttonClick Select to save for the third time. NOTE: if there are no existing patching or upgrade CHGs on your instance, you may schedule your own upgrade. What if our organization does not have enough time to perform full regression testing with each patch version? Patching involves shorter hops between versions within a family and is intended to be non-impactful. Security patches should require minimal testing since they contain a small number of very specific fixes.The Product Documentation site contains detailed information about the contents of each patch. For best practices related to patching and upgrades, see Upgrade your instance (Utah). What else can I do to prepare for patching? If you are self-scheduling your patching, patch and test your non-production instances ahead of your production instances. Where can I find information about the latest patch? Release notes are available on the ServiceNow Product Documentation site. Where can I find more information about the security patch content? In order to protect our customers, we limit the information we make available regarding our security fixes. We do not advertise them publicly as that may risk them being exploited once people are made aware of them.All available security patching information can be found in the release notes on the ServiceNow Product Documentation site. What patch versions will security patches be created for? Security Patches will only be created for supported release families. Prior to the start of each quarter, we will announce a "Patch Target" for each supported release family.In the event that a security patch is determined to be necessary, it will be added to these Patch Targets and deployed to customers in months 2 and 3 of the quarter. Why does the security patch target have a fix that is not contained within a higher patch version? Am I still compliant on the higher patch version? Based on release timing, there are times when a security fix is identified after the next full patch version is released (e.g. Tokyo Patch 6a may have a security fix that is not included in Tokyo Patch 7). The higher patch target is still compliant with our Patching Program and provides the latest performance/functional fixes at the time of release; however, if it happens to miss the security fixes from an earlier version based on timing, it will be included in the next full patch target and we will patch these customers the following quarter for the next round of patching.The Patching Program is designed to patch the majority of customers to our monthly targets, so we build security patches on top of the full patch target from Month 1 of the quarter since that's where the majority of customers will be. How come I cannot patch from the latest security patch target to the next highest patch version? In some cases, customers with instances on the latest security patch target may not be able to patch to a higher version (e.g. patching from Tokyo Patch 4a to Tokyo Patch 5). This is due to release timing - see explanation in the question above.In such a case, customers will not be able to see the higher patch as an available version in the Now Support (HI) Service Portal. Instead, they can wait for the next higher patch to release (e.g. Tokyo Patch 6) or wait to be scheduled by the next round of the Patching Program. Where can I find additional information about what is included in a patch and specific guidance on where to focus our testing? Refer to our Product Documentation site and refer to the Release Notes for each patch for information on included fixes. What happens if a patch does not execute properly? If a patch does not execute correctly by the end of the Change (CHG) window, our monitoring will catch the issue. ServiceNow Customer Support will create a case on your behalf and begin the troubleshooting process.We encourage you to monitor the progress of your patch and, if there is an issue with the patching or an issue with your instance after the patching process, please contact ServiceNow Technical Support. Will the patch cause an outage or service disruption? No. Your instance remains online during patching. Some performance impacts may be observed, but there should be little to no impact after a patch has been applied. In the unlikely event of an outage or service disruption, please contact ServiceNow Technical Support. How do I monitor the progress of my upgrade? While a patch or upgrade is in progress the Upgrade Progress shows what the upgrade process has done, what it is doing, and what remains to be done. Will ServiceNow patches contain added functionality? As a policy, ServiceNow does not allow new capabilities or functionality in patches. Capabilities and functionality changes are reserved for new family releases. We have done this to give our customers confidence in our patches being non-disruptive to their business. name="28"> During the patching process, who is responsible if a patch breaks business functionality? ServiceNow is responsible for base functionality being patched without issues. We are not responsible for customization. That said, we do extend support and help where we can on customizations, so please contact ServiceNow Technical Support. In addition, the ServiceNow Community is a fantastic resource to get quick answers on customizations. What if I am a customer with on-premise instances? For customers with an on-premise instance, ServiceNow will be sending notifications to your support contacts, listed in Now Support (HI), detailing the latest patch target and advising you to patch your instances as soon as possible. Update and maintain contacts listed in your company record to ensure that you receive important program-related notifications and that they are sent to the appropriate contacts.For more information on managing company contacts, see KB0547262: Managing company contacts on Now Support.Related LinksFor all further questions related to the Patching Program, please submit via your company assigned Change Request, or reach out to your Account Manager. Standard Definitions Release Family A release family is a complete solution including new capabilities that customers can implement to add value to their organization. The release family also incorporates available fixes to existing functionality. Patch A patch supports existing functionality within the release family with a collection of problem fixes and generally does not include new features. Security Patch Security patches support existing functionality within the release family with specific security fixes. These fixes are incrementally added to the patch version. For example, Quebec Patch 6a is a security patch that contains security fixes added to Quebec Patch 6. Similarly, Quebec Patch 6b contains the fixes in Quebec Patch 6a plus the new ones in Quebec Patch 6b. There are usually less than five fixes per security patch, but we reserve the right to include more fixes as required. Hot Fix Hot fixes support existing functionality within the release family with a targeted, specific problem fix. It may or may not include any previous fixes within the release family. It does not include new capabilities. For example, Quebec Patch 1 Hotfix 2 is part of the Quebec family. Version A version is the specific level within each release family, e.g. Quebec Patch 5 is a patch version of Quebec. Patch versions are cumulative within a release family, i.e. Quebec Patch 5 contains all of the fixes in Quebec Patch 4 plus the additional fixes in Quebec Patch 5. Target A target is the minimum version required to be installed for each supported release family. Upgrades Upgrades involve moving a customer instance from one main release family to another. For example, moving from Rome to San Diego. Patching (also known as Updates) Patching involves moving from one patch level to another within a release family. For example, moving from Rome Patch 2 to Rome Patch 3.