Reasons Why Some .NET Framework Patches Are Classified as OS Patches While Some as .NET Patches by Shavlik

Version 2

    Purpose

     

    To explain reasons why some .NET Framework patches are classified as affecting OS versions while some as .NET versions by Shavlik

     

    Description

     

    Even within the same bulletin ID, some patches are classified as affecting OS versions while some affecting .NET versions. For example, MS16-019 has two patches KB3122661 and KB3122646. Shavlik classified them as following:

     

    KB3122661-.NET patch

    NET patch.png

     

    KB3122646- OS patch

    OS patch 2.png

     

    Cause

     

    We look at the binary and not just the classification/bulletin description. Basically, if the .NET version is included in a certain OS, we classify it as affecting OS versions, or a OS patch instead of .NET product, or .NET patch, because it would affect all the OS which have the particular .NET version included. Normally, if you download a patch and it starts with windows then it's an OS patch. Even though the description and information page says the patch applies to .NET. Generally Microsoft will release the binary as an OS or a .NET depending if the default OS comes pre-installed or if you need to install .NET manually first.

     

    Compare the file names for the two patches above and you will notice the difference. See file names defined by Microsoft for KB3122661 and KB3122646, we keep the file names unchanged:

    https://www.microsoft.com/en-us/download/details.aspx?id=51072

    https://www.microsoft.com/en-us/download/details.aspx?id=50842

     

    So to explain the above example, Windows Vista comes with .NET 2.0 so since KB3122646 applies to .NET 2.0 on Vista, we classify it as an OS patch. On the other hand, .NET 4.6 does not come a certain OS, we classify KB3122661 as a .NET patch.

     

     

    Affected Product(s)

     

    Shavlik Protect 9.X