Bill Campbell wrote:
That sounds like the kiss of death for any critical service. Can't it figure out ahead of time that this is going to happen and let the service keep running unchanged with a warning message about needing the update instead?
You're missing the point. If the service is already running, the changes won't take effect until you restart the service with the new binaries. And the whole patching exercise is what maintenance windows are for, anyway. Note that it's critical SERVICE, not critical SERVER. The former is more important than the latter, so ideally you should be able to take down the latter in order to upgrade one implementation of the former.
I understand the distinction very well. In the time we have been using this method, we have never taken down a service for any significant period of time (the services are restarted on installation by the RPM SPEC files' %pre, %post processing).
Of course we don't do things that are likely to take a critical service down without proper prior planning (often found out the hard way on our own systems :-). If an update is likely to have an impact on operations, it is scheduled during a maintenance window.
In other words you'd dedicated sufficient human resources to undo whatever damage the package management system causes...