Example Patch PolicyFreeBSD
Security critical infos should be immediately forwarded (i.e. to your database)
Define services / ports that are "local" and "remote"
For remote ports
If a configuration fix is available apply that immediately
If a configuration fix is not available, do a recursive portupgrade for the port.
If the system is critical and no fix is available and kiddies are exploiting it, prepare to switch to a different port (i.e. temporarly switch to lighty if apache is bugged)
Consider having a working minimal config in place, just in case.
For local ports
If it concerns web-related, exploitable stuff (php, graphics libraries like libjpeg) immediately update recursively
Everything else fix after reasonable time
- Keep downtimes short by automatically downloading and building in advance!
- Run automatic backups before your update
- Use failover servers or binary updates
Update Base 2 times a year
Update Ports 6 times a year - stop service, apply new packages, start service
Update Base 4 times a year
Update Ports 6 times a year.
Always: Update Ports providing important services if any of them falls more than 6 minor versions behind the stable upstream version.