Changes to Windows Update supersedence

Microsoft revealed a couple of days ago on Technet that it plans to change the Windows Update supersedence on Windows 7 and 8.1, and Windows Server 2008 R2, 2012, and 2012 R2.

The company started to publish so-called rollup updates for the mentioned operating systems in October.

This was a major change for several reasons. For one, instead of having the luxury to install individual updates, all-or-nothing was the motto of the day.

This was problematic, as it changes how bugs are addressed. You could remove the problematic update previously to address the issue, if caused by an update. With the new update scheme, all you can do is uninstall the whole rollup with all patches, even those that are not causing any issues on the system.

Imagine having to remove all security patches of a month because one causes issues on your system. You may leave a computer system running Windows wide open to attacks.

But that was not the only issue; Microsoft decided to release a security only update rollup, and a rollup image containing security updates and other updates.

I called the terminology that Microsoft uses to describe these updates atrocious. The company calls "security only" updates "Security Only Quality Update", and the all-encompassing updates "Security Monthly Quality Rollup".

Windows users have three options when it comes to updates: 1) install only security rollups, 2) install security and non-security update rollups, or 3) block all updates.

The supersedence issue

The idea was, that if you only wanted security updates, that you had to install those rollup patches and be done with it.

Turns out, this did not work for customers using WSUs or Configuration Manager 2007.

While security only, and security and non-security rollup, updates installed fine in October, the following happened in November when the new batch of updates was released:

1. The Security-only rollup update of October 2016 was superseeded by the security and non-security rollup update in November.

This meant, that customers could not install security-only rollup updates on their machines if they used WSUS or Configuration Manager 2007, at least not without workarounds.

This meant that the October 2016 Security only update, the October 2016 Security Monthly Quality Rollup update, and the November 2016 Security only update were all superseded by the November 2016 Security Monthly Quality Rollup update.

The Fix

The fix removes security-only update supersedence. This has a couple of advantages, including that it fixes the issue that company customers experienced in November 2016.

Companies may install security only updates at any time, and in any order. They may furthermore install security monthly quality rollup images in select months without affecting installed or future security updates.

Microsoft on fixing bugs in security-only updates

I asked back in October how Microsoft was going to address issues found in security updates. This was an important question for Windows users and administrators who install the security only updates only on machines.

Would Microsoft release updates for the security-only update to address the issue, or would it release the patch as part of the security monthly quality rollup?

Scott Breen shed some light on the question. According to him, Microsoft will decide the course of action on a case by case basis.

The company may release a revision for the security update to address the issue.

If a problem with the update itself is identified and not a known issue, a revision of the update might be released which resolves the problem. As I said, case-by-case.

While that is one option, Microsoft did something different for issues identified in security patch MS16-087. It addressed the issue in the November Security Quality Monthly Rollup, but not in the Security-Only Rollup for the month.