News

Microsoft's Security-Only Patch Process To Change

• By Kurt Mackie
• 12/08/2016

Microsoft on Wednesday said it's tweaking the patch process for older Windows environments this month.

The change involves how supersedence works with Microsoft's monthly update rollups for Windows 7, Windows 8.1, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2008 R2. In October, Microsoft initiated a Windows 10-like servicing approach for those older operating systems that begins delivering patches as cumulative updates (called "rollups" by Microsoft), which means they contain all previous patches. This servicing model change eliminated the ability for IT departments to roll back individual patches. Instead, they can just roll back to the previous month's patch baseline.

It seems that some organizations applied the security-only rollups that Microsoft now issues under this new update rollup scheme. It was an approach recommended by patch management authorities outside Microsoft. However, these organizations subsequently found out that those security-only updates were being superseded (replaced) by a "quality" rollup (which includes security updates, too). This patch "supersedence" effect happened in October and November, Microsoft's announcement noted.

In effect, some organizations applying the security-only rollups got the OS quality updates that they may have planned to defer. Microsoft had suggested workarounds for management tools to avoid this supersedence issue, but some tools (such as Windows Server Update Services and System Center Configuration Manager 2007) lacked the flexibility to address it.

"This resulted in customers using WSUS or Configuration Manager 2007 being unable to deploy security only updates using the built in software update mechanisms without additional workarounds," Microsoft's announcement explained.

Microsoft has now adjusted this model in advance for next week's patch Tuesday (Dec. 13) delivery, so that the security-only updates won't get superseded.

"Based on feedback, the team has updated the supersedence relationship of updates so that Security Only updates are not superseded," Microsoft's announcement stated.

This change is behavior adds more flexibility for IT departments. Per the announcement, it will let organizations:

• Selectively install Security Only updates at any time
• Periodically deploy the Security Monthly Quality Rollup and only deploy the Security Only updates since then, and;
• More easily monitor software update compliance using Configuration Manager or WSUS.

Microsoft actually now releases various types of update rollups for Windows systems each month, along with .NET Framework updates. There's a security-only rollup, which gets released on the second Tuesday of each month ("patch Tuesday"). A monthly "quality" rollup that fixes software flaws plus security flaws gets released on the second Tuesday of the month. Lastly, there's a monthly rollup preview containing quality and security fixes that is designed for testing by IT pros, which gets released on the third Tuesday of the month.