Security Quality Rollup Confusion – Windows Updates

Since October 2016, Microsoft have updated their Windows Updates model (for Windows 7, 8.1, Server 2008 R2 SP1 and Server 2012 R2) to a more cumulative approach. To their credit, they had this communicated months before it started, and the word got around long before the first patch rolled out.

At the time I talked to Tom Walat who was reviewing what people thought of this model. There’s been a bit of confusion and changes in the model, including a new one for February 2017 where Internet Explorer will be seperated and have it’s own rollup. If you manage WSUS, you need to be across these changes.

There’s a great detailed blogpost on TechNet about the history and changes, as well as this really useful table:

Windows Updates for 7 and 8.1 table for Feb 2017 (source)

Here;s the TLDR version which is still long, sorry;

Since October 2016 to January 2017, there has been two main update rollups – a Security Monthly Quality Rollup which contains ‘all the patches’. In WSUS, this will have a name like “January, 2017 Security Monthly Quality Rollup for Windows 7”. There is a separate rollup for Windows 7, 8, Server 2008 R2 and 2012 R2. These are cumulative – each Rollup includes all previous rollup patches, but nothing that’s before October 2016. This is the recommended package.

There’s also the similarly named Security Only Quality Update which has just been ‘all the security patches’. This will have a very similar name, e.g. “January, 2017 Security Only Quality Update for Windows 7” again having a separate update for each OS. These are not cumulative, and each needs to be installed seperately. These updates are only required if you’re not doing the monthly rollup for some reason (e.g. one of the updates breaks something in the rollup).

Those both included Internet Explorer, but as of February 2017 that will be it’s own separate set of updates. The IE update set will be cumulative – including all older updates in each new package.

That separate IE set of patches is the Cumulative Security Update for Internet Explorer will be cumulative like the Rollups, where you only need the latest one.

These are big changes and it’s worth getting your head around it all – the end goal is to have only monthly updates for anything older than Windows 10.

There may be future changes as to how this model works, so make sure you keep up to date with what Microsoft is doing in this space.

Leave a Reply