When last we left our intrepid release manager, we had a Bill of Materials for all of our SKUs. Now the development team has finished writing and testing the code - what else is there to do, you ask?

Plenty! First, in order to get the software team to the point where they even can sign off, there are new checkpoints we have to make sure we address.

The first is Security - it's no secret that Microsoft has laser-like focus on Security in our products and for our customers right now. Of course, sometimes that laser like focus means running around with a big hammer.

There is now a mandatory start-to-finish security process called the Security Development Lifecycle (SDL). It's a process all teams at Microsoft have to follow for all products we release. It includes making sure we run a variety of security tools on our code and on our installs, doing threat models of potential exploits, and reviewing all of our bugs to make sure we haven't missed anything that has a potential security impact. During this entire process we have a security "buddy" whose basic job is to make my life a living hell - constantly asking questions and pushing back - it's a good role to have if you like being a constant pain... :-)

Nothing can ship without sign off from the Security team that they are satisfied with the process and decisions we've followed.

In addition to the security sign-off, there are several other required compliance issues we need to check off on. For example, insuring that we are in compliance with the US DOJ consent decree, that we have the proper regulatory steps taken care of, etc. etc.

OK, so now we've made sure that we're not doing anything bad or wrong. How on earth do you actually get this thing to customers?

Well, once we have a final build that the development team has signed off on, we burn a set of "master media". These CDs are marked with the SKU, part #, language, build, and other info to make sure they don't get mixed up. The media are handed to our Build Verification Test team, who runs through an install from the master CDs and runs a set of tests on them to make sure nothing obvious is wrong with the CD or build or any last minute problems haven't cropped up.

Once the BVT team has completed their install, the CDs are then handed off to our media verification team. This team runs a separate install while also noting the CRC value of each CD and other verification tests.

While this testing is going on, the build team has already had all of the binaries signed by the Microsoft corporate certificate (so they are authentic Microsoft bits) and submits the build to a virus-scan test and also a check to make sure we are in compliance with the Sun MSJVM settlement.

Once all that is done, the master CDs are submitted back to the release management team with the sign-offs. The CDs are now ready to be released.

If a DVD is included, there is an additional process. A DVD ISO is released to a share, and a DLT tape creation request is submitted to our MS Studios team. They create a DLT tape which we pick up within 24 hours.

In the old days, this meant taking each CD to our Release Services Lab and submitting each one by hand physically. For a product like SBS, where for each language we might be submitting 20+ CDs, that would be something like over an hour to stand in the hallway and turn them in one at a time.

Now we can utilize electronic ISO handoff for CDs (DVDs still require a physical DLT tape to be submitted). The Build team, when creating the master media, created identical ISOs and put them in a separate share. My team checks that the ISO CRC matches the master media CRC, and then can copy the ISO to our Release Services Lab. Once those are submitted, a sign-off request mail goes to our Release Manager (me) and our Test Manager to sign-off that these CDs are OK to go to customers world-wide.

Once the sign-off is done, the Release Services lab performs a set of their own processing checks, and occasionally an ISO gets dumped out for some error (usually a file copy error). Once they sign off, the part goes into a "Released" state and can be picked up by anyone with access to the Microsoft Release database.

Since usually the software is the last thing to be released, once all of the CDs for a BOM are released, the BOM for that SKU goes "live", meaning production can start. Our operations team notifies our manufacturing team, and once the SKU is released they can begin the manufacturing process that starts churning out boxes.

For web downloads, the process is similar but slightly different. The download bits are posted to our Downloads Management Tool, where again we have to sign-off on compliance (it has a EULA, we're not shipping MSJVM, we ran a virus-scan, etc.). Once submitted, again a sign-off is required, and the bits are then propogated worldwide and released.

So, that's first why the download bits are always available prior to the physical media. Once the CDs are released, we have to manufacture the parts and ship them to our distribution centers around the world. We have operations centers in North America, Europe, and Asia which handle the SKUs for the languages in that area (English is utilized worldwide). The whole process usually takes 6-8 weeks to make it out to you, the customer.

This is also why the release management team usually engages in some heavy celebration after the big party. :-)

So now if anyone asks what the heck RTM means or why it takes so long to get a piece of software even after Microsoft "releases" it, you can help them understand.

Hope people found this useful/interesting. I've certainly learned a lot going through this in the last few years.