When are security updates effective?
Files on the file system are updated by the apt[itude] and dpkg. But
Most server packages restart the services after upgrades. Most library
and desktop application packages don't.
Should the local adm take a look at each upgrade and manually check which
files changed on the Debian installation, and based on that restart services,
programs, kick users out, jump to run level 1 and back, reboot the system
etc as suggested by Securing Debian Manual ?
Could Debian security advisories help a bit, since the people making the
packaging changes propably know how to make the changes effective on a
running installation too?
It seems that Ubuntu advisories already contain a nice notice which
defaults to 'you need to reboot your computer to effect the necessary changes'
 unless the package in question can handle upgrades and 'a standard
system upgrade is sufficient to effect the necessary changes'  or the
package is just an application and 'you need to restart Firefox to
effect the necessary changes' .
For the record, SUSE advisories also contain this kind of
instructions  while Fedora  and RedHat don't . (The proprietary
up2date propably does some magic behind curtains.)
If the upgrades have a few standard ways to come effective, then
automation for them might be the next step. Has this been discussed