Upgrading to 5.5.2 - the story of second server

Hello all,

I have taken the liberty to start a thread here in Recommended Reads following up, as I touted, with the story of the second upgrade.
To begin with, I did it in somewhat presumptuous manner - the first upgrade was a cinch, it's anyway the umpteenth time I upgrade, servers are pretty identical, what should happen I can't handle? Thought I could do it on the side.

Started setup.exe, all green, .NET had to be installed ... done, rebooted.

Installer resumed, again all green, installed the Database, the new Credential Store. Knowing the server install will take some time I decided to something else after it had started. I was mildly surprised that the progress bar hadn't progressed when I checked after about half an hour - on the other server it had taken slightly more than five minutes. Well, who knows what these virtual machines do all the time. ten minutes later still no change.
Task Manager showed some obscure installer component apparently in a tight loop, burning a whole CPU. Rats! Been there - it's bad. There's AFAIK no graceful exit, all you can do is to kill the install. There's also no feedback to the driving process (setup.exe in this case) so it can't roll it back. The MSIs are safe though, i.e.  fragments from an interrupted install would not cause a new attempt to fail so the missing rollback is not a problem. Of course the already uninstalled existing version isn't reinstalled (this wouldn't be of much help anyway).

Insertion: Some remarks regarding the SEC Installer and its behaviour
The SEC Installer installs or upgrades three main components, indicated by the Sophos Management prefix: Database (D), Server (S), and Console (C). They are installed in this order, and Database and Server install additional (sub-)components (most notably SUM, the Sophos Update Manager). While other parts are cross-version compatible these three - while in principle independent - have to be at the same version. Then why are there three instead of one? The Database is a distinct component to facilitate the use of a non-local database. And it's only reasonable that a Remote Console and its install is not different from a local one.
setup.exe's workflow depends on the version of its MSIs, the version of the installed components, and the DatabaseConnectionMS (DBC) registry value.
• if no component is installed and DBC is absent it prompts you with all products selected, you can choose which ones not to install
• if DBC is there but neither component installed it assumes D is already installed remotely, you can unselect S or C
• if more than one component is installed they must be of the same version, otherwise the bootstrapper aborts
• if the installed and MSI version is the same the path is modify (if e.g. D is not installed) or repair otherwise it's upgrade
End of insertion

So the status was D 5.5.2, S absent (as 5.5.1 had been uninstalled), and C 5.5.1. This is covered by Scenario 3 in Sophos Enterprise Console: Installer has detected different versions of the components installed (interestingly it doesn't tell you how to deal with Scenario 4 ... hm). No sweat, been there, one might have encountered this when Encryption was retired. Uninstalled D using  Programs and Features, started setup.exe... said it would upgrade C. Huh? Of course, D and S are not installed, as there's just C it will be upgraded, can't select S at this point. Let it finish and then run setup.exe again ... complains it can't continue. What, no access to the Sophos Credential Store? Oh, correct - I hadn't logged off since installing D that also installed the CredStore. so the group membership was not yet in effect.
Logging off and on,  run setup.exe, select D and S. Wrong!,  Database install fails because ... SophosSecurity is already there. Of course, I forgot to reinstall D from the command line. This also failed??? Ok, this is what you get when you copy the command from the Sophos_Database64msi log (so that you don't have to edit the command from the article) and forget to add the CREATE_DATABASES=0.
Done, now setup.exe, warns me I should reboot, I choose to ignore it. D and C are there, select S ... Installer gets stuck at the same point as initially but without the looping obscure component. Still I have to kill it. Reboot.
Again select S, Installer installs (note that it processes or reprocesses all components), Finish page (with logoff), log on, Console opens ... no it doesn't. Another try - nope. Management Service terminated due to an unspecified error. Great! Nothing obvious ... UpgradeDB.exe to the rescue! No complaints, upgrades without error, afterwards the console runs as it should.

Enthralling afternoon. Mind you, the initial loop was very likely a glitch and even though subsequently a hang occurred at or near this point I don't think that the MSI or the Installer database were at fault. I could have done better afterwards. But all in all even though two-and-a-half hours elapsed I spent less than 15 minutes of my time with it [;)] 

Christian