Microsoft Breaks Down Confusing SharePoint Patch Process
Microsoft this week provided insight to its SharePoint Server 2013 patch process.
The occasion for confusion, prompting Microsoft's clarification, was the release of the August Cumulative Update (CU) for SharePoint 2013. The August CU came with a caveat about having to install the July CU first. That led SharePoint experts, such Microsoft MVP Todd Klindt, to say that the August CU really wasn't a cumulative update after all.
"This [August] CU is NOT Cumulative," Klindt wrote in a blog post. "It does NOT include the patches from the July 2014 CU. To get all fixes install [SharePoint Server 2013] SP1, the July 2014 CU, and then the August 2014 CU."
(Microsoft had originally released Service Pack 1 for SharePoint Server 2013 in late February or early March, but a software flaw caused problems for some users, who couldn't get subsequent cumulative updates. Microsoft rereleased SP1 in late April.)
Klindt's claim that the August CU was not cumulative made quite a lot of sense at the time. How could a cumulative update in August not include updates from the previous months? Apparently the confusion was widespread, prompting a "SharePoint patching demystified" post on Tuesday by Stefan Gossner, a Microsoft senior escalation engineer for SharePoint. In that post, Gossner reaffirmed that the August CU is a cumulative update.
"After release of August 2014 CU I read several statements that August CU is not cumulative - but that is not correct! SharePoint fixes are always cumulative!" Gossner wrote.
Gossner's explanation for why the August CU is cumulative has two facets. The first idea is that SharePoint gets released in parts or "independent components" for aspects such as "Search, Excel Services, Web Content Management, Document Lifecycle," and other components needed to make SharePoint work. But not all of those components get fixed each month (Microsoft now releases its SharePoint Server cumulative updates on a monthly basis, instead of on a bimonthly basis, as Microsoft explained last month).
This notion that some SharePoint Server components get fixes in a cumulative update while others do not seems to turn the meaning of "cumulative update" on its head. According to Gossner's explanation, though, components fixed in a particular cumulative update contain the past fixes for that component throughout the year. However, if a component wasn't fixed in a particular cumulative update release, then you don't get the past fixes for that component for the year -- or something like that.
The second facet to this explanation is an exception to this rule, namely the so-called "uber package," which apparently is a new term from Microsoft. An uber package usually gets distributed with SharePoint Server cumulative updates but it didn't get shipped with the August CU because of the faster cumulative update release cycle that Microsoft initiated last month.
The Missing Uber Package
What is an uber package? It seems to be a cumulative update on its face, but it's actually more like a "mini-service pack," according to Gossner.
"The 'Uber' packages which are usually released with each CU not only include patches for the components updated in the current CU but also all patches released for other components of the product," he wrote. "So they are very similar to a mini service pack."
It's not clear when Microsoft started using the term, "uber package," but despite the "uber" name, "service packs" are more encompassing (see chart). Service packs are especially relevant for IT pros because they set a new "service baseline" for the server installation, and they are required to get subsequent updates for the product. Gossner explained that service packs are required even though cumulative updates may contain all of the fixes in a particular service pack. Cumulative updates are a special case, though, because they support two patch baselines. Cumulative updates support "the previous service pack for 12 more month[s] after releasing a service pack," according to Gossner.
Microsoft's "standard terminology" page for its updates defines a service pack as "a tested, cumulative set of all hotfixes, security updates, critical updates, and updates." The page doesn't describe an uber package at all. In addition, the definition of a cumulative update is missing from that list. A cumulative update appears to a collection of previous "update rollups" for the year. An update rollup, in turn, is a collection of fixes that are released each month, which can contain security fixes or not -- at least that's what Microsoft seemed to have meant when it described its update rollups last year. Microsoft's actual description of an update rollup in its standard terminology page adds to the confusion because it throws in the word, "cumulative."
"Definition [of an update rollup]: A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment," Microsoft's standard terminology page states.
Gossner also provided the definition for a "public update." It's a subset of a cumulative update that Microsoft intends for all users.
"Public Updates are also cumulative updates -- but [they] only include those packages which include updates which should be distributed to all customers," he wrote.
Public updates get released monthly, but they may not include past updates for all of SharePoint's components, Gossner warned. In addition, because public updates and cumulative updates use different Knowledge Base article numbers, Windows Update may not recognize that fixes in a public update were applied in a cumulative update, he explained.
Gossner also talked about potential patch-numbering disparities. He explained that a patch number described in a particular Knowledge Base article may differ from the patch number seen in the SharePoint administrative console. The reason for the disparity is that the console only shows the SharePoint Foundation component, he explained.
In a nutshell, it appears that IT pros who patch SharePoint Server 2013 will have to learn to recognize when Microsoft does and does not release an uber package. If they don't see an uber package mentioned, then they had better have service packs and cumulative updates installed to date. Otherwise, they risk not getting future updates, in all of their various forms.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.