Cisco and Sun don't follow a regular schedule for releasing patches and instead roll them out as the fixes for the flaws become available, which makes the patching process less predictable for users, analysts said. In addition, Cisco doesn't rate its flaws, leaving it up to IT administrators to decide how serious a vulnerability may be.

"Of all the vendors we deal with, Microsoft is one of the best in terms of the processes they have in place" for addressing security threats, Sutton said. That includes having formal procedures for vulnerability discovery and assessment, patch development, testing and automated distribution, as well as a predictable patching cycle, he said.

Microsoft has also shown a growing willingness to work with security researchers who discover flaws, according to users and analysts.

Because of such efforts, Gartner no longer believes that there is any difference as far as security is concerned between Windows Server 2003 and rival operating systems such as Solaris, HP-UX and AIX, Pescatore said. But, he added, the planned launch of Windows Vista later this year will be a key milestone in Microsoft's effort to prove that it has made real progress on improving its security procedures. "It will be the first desktop OS to ship after they said they are getting serious about security," Pescatore noted.

"Their biggest problem now is trying to get past all of the negative legacy perceptions," said Hugh McArthur, director of information systems security at Chantilly, Va.-based Online Resources Corp. , which offers online banking and bill payment services to the financial industry. McArthur added that he would give Microsoft "an A for effort and a B+ for execution" on security issues. Oracle's Strategy