Microsoft Patching Changes Starting In October 2016 and Rollup Naming Conventions October 2016 through March 2017

Version 17

    Purpose

     

    This document is an overview of the servicing model changes starting in October 2016 and how it will affect patching via Shavlik Protect.

     

    Overview

    The Shavlik Patch Tuesday Webinar for October 2016 covers these changes in depth. The webinar can be found and watched here: http://www.shavlik.com/patch-tuesday/

    This document reflects our current knowledge of the servicing changes and how we have implemented them. The new naming conventions introduced April 2017 are discussed here Microsoft Security Bulletin naming convention change April 11th, 2017

    On October 11th, 2016, Microsoft introduced a new patching model. This new model is meant to simplify patching by using rollups. The main rollups are as follows:

     

    Monthly Security Only Bundle - This is flagged Security in Protect

    Monthly Security Quality Rollup- This is flagged Non Security in Protect

    Monthly Security Quality Preview - This is flagged Non Security in Protect

     

    These rollups come in 3 different KB numbers. One for Server 2008 R2 and Windows 7, one for Server 2012, and one for Server 2012 R2 and Windows 8.1.

     

    Windows 10 and Windows Server 2016 will continue be serviced with Cumulative Updates.

     

    Currently, Windows Vista and Server 2008 will not be moved to the Windows rollup model, as mainstream support for these operating systems has ended. They will receive .NET Monthly Rollups, however.

     

    Installing a rollup only updates any out of date components covered by the rollup.

     

    Some .NET updates have also been added to the Security Only and Monthly Quality rollup model, with security updates being present in both, and non security updates only being present in the Monthly rollup. However, there are also .NET updates being released as standalone rollups that apply to these operating systems. You may be offered both depending on your system configuration.

     

    Rollups

     

    Security-only bundle

    • A single update containing all new security fixes for that month
    • This (like all updates) will have a unique KB number.
    • This security-only update will be released on Update Tuesday (commonly referred to as “Patch Tuesday”), the second Tuesday of the month.  (This is also referred to as a “B week” update.)
    • This update is set to "Critical" severity in Protect.

    Monthly security and quality rollup

    • A single update containing all new security fixes for that month (the same ones included in the security-only update released at the same time), as well as fixes from all previous monthly rollups.  This can also be called the “monthly rollup.”
    • This (like all updates) will have a unique KB number.
    • This monthly rollup will be released on Update Tuesday (also known as “Patch Tuesday), the second Tuesday of the month.  (This is also referred to as a “B week” update.)
    • This update is set to "Critical" severity in Protect.

    Preview of the monthly quality rollup

    • An additional monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.  This can also be called the “preview rollup.”
    • This preview rollup will be released on the third Tuesday of the month (also referred to as the “C week”).
    • Starting in early 2017 and continuing for several months, older fixes will also be added to the preview rollup, so it will eventually become fully cumulative; installing the latest monthly rollup will then get your PC completely up to date.
    • This (like all updates) will have a unique KB number
    • This update is set to "None" severity in Protect.

     

    Detection Notes

     

    In Protect, if you install the Monthly Quality Rollup and then scan for the Security Only rollup, the Security Only rollup will show as effectively installed.

     

    With WSUS or MBSA, if you install the Monthly Quality Rollup and then scan for the Security Only rollup, the Security Only rollup will show as missing and be offered.

     

    According to Microsoft, this is expected behavior, as outlined in the KB articles for Monthly Quality updates, such as this one for Server 2012 R2 : https://support.microsoft.com/en-us/kb/3185331

     

    The relevant text:

     

    The security fixes listed above that are included in this security update 3185331 are also included in this October 2016 month’s Security Only Quality Update 3192392, which only includes those fixes. Installing either update will include the security fixes listed above and the Security Monthly Quality Rollup also includes improvements and fixes from previous Monthly Rollups.

     

    If you use update management processes other than Windows Update and automatically approve all Security updates classifications for deployment, note that both the Security Only Quality Update 3185331 and the Security Monthly Quality Rollup for the month 3192392 will be deployed. We recommend that you review your update deployment rules to ensure the desired updates are deployed.

     

    Shavlik has tested this and confirmed that no files are updated when manually installing the Security Only after the Monthly Quality Rollup has been installed, which is why we will detect the Security Only update as effectively installed if the Monthly Quality Rollup has been installed.

     

    Additional Information

     

    .NET Framework Monthly Rollup:

     

    The .NET Framework Monthly Rollup is available for Windows Vista and Windows Server 2008. The applicable fixes for later versions of Windows are included in the Windows Security Only Bundles and Monthly Rollups.

     

    This article explains the .NET Monthly Rollups: .NET Framework Monthly Rollups Explained | .NET Blog

     

    Information Sources:

     

    Affected Product(s)

     

    Shavlik Protect 9.x

    Shavlik SDK