To explain reasons why some .NET Framework patches are classified as affecting OS versions while some as .NET versions by Shavlik
Even within the same bulletin ID, some patches are classified as affecting OS versions while some affecting .NET versions. For example, MS16-019 has two patches KB3122661 and KB3122646. Shavlik classified them as following:
KB3122646- OS patch
We look at the binary and not just the classification/bulletin description. Basically, if the .NET version is included in a certain OS, we classify it as affecting OS versions, or a OS patch instead of .NET product, or .NET patch, because it would affect all the OS which have the particular .NET version included. Normally, if you download a patch and it starts with windows then it's an OS patch. Even though the description and information page says the patch applies to .NET. Generally Microsoft will release the binary as an OS or a .NET depending if the default OS comes pre-installed or if you need to install .NET manually first.
Compare the file names for the two patches above and you will notice the difference. See file names defined by Microsoft for KB3122661 and KB3122646, we keep the file names unchanged:
So to explain the above example, Windows Vista comes with .NET 2.0 so since KB3122646 applies to .NET 2.0 on Vista, we classify it as an OS patch. On the other hand, .NET 4.6 does not come a certain OS, we classify KB3122661 as a .NET patch.
Shavlik Protect 9.X