I work in an IT group for a financial services company. We don't have a stellar CM process, but I am working to improve it (which is part of why I was recently hired there). We have purchased software, as well as in-house software we develop.

My biggest challenge with trying to improve our internal CM process is that we have a third party tool that is heavily customized for us. We receive "hot fixes" for bugs, roll-up packages of all hot fixes, and new code for new releases. There seems to no organization to what we receive from this third party vendor; some examples: 1) they will email a hot fix and reference the defect number; 2) they will provide a roll-up package that we can apply, but there is no real way to verify if all prior hot fixes are included so a whole lot of defect re-testing occurs; 3) they send a roll-up package, but in the meantime have fixed another bug, so now there are additional scripts to run after the package is applied.

Couple all of this with the fact that our test environments are shared with a UAT group, so we cannot easily bring down an entire environment to take a day to verify the packages.

Some of my initial thoughts are to use SourceSafe (which we do use already) and actually check in and version every single hot fix and package we receive from the vendor...although that is nice, it doesn't really buy me all that much. I was also thinking of the obvious rules of engagement such as rules governing what we will and will not accept (e.g., no more hot fixes) and when we will and will not accept it (e.g., we apply packages on Tuesdays and Fridays). I need to be careful with this though because this is a drastic change for this group.

Keeping in mind that I'm still fairly new at my company and we will always have the emergency need for a hot fix for critical defects. Also keep in mind that the project manager has a lot of pull in decisions, so I need to go easy with implementing a new, very strict process.

So, I will stop babbling now...any thoughts on CM processes for third party vendors who don't seem to have their own - and it's negatively effecting us?