Beyond Patch Tuesday: understanding the different monthly security and quality updates for Windows, and how they’re getting more efficient.
Since October 2003, the second Tuesday of the month has seen a slew of fixes and updates for Windows — but those aren’t the only updates that come out for Windows every month.
The date and time for Patch Tuesday (or as Microsoft prefers to call it, Update Tuesday), are carefully chosen — at least for the US. Updates come out on a Tuesday not a Monday, and at 10am Pacific Time (or the rather less convenient 6pm UK time) so that they’re not the first thing admins and users have to deal with when they arrive at the beginning of the week, or first thing in the morning. Updates for Microsoft Office also come on the second Tuesday of the month.
The Patch Tuesday updates include both security and non-security fixes, and if you leave Windows Update to get updates on its own schedule, they’re the only updates that will download apart from the ‘on-demand’ updates. Those can be released at any time through the month, if there’s a security or quality fix that’s too urgent to wait ’til the next Patch Tuesday (including fixes for problems caused by a Patch Tuesday update) and they don’t happen every month.
Mix and patch
With previous versions of Windows, Patch Tuesday updates were published as individual patches that you could pick and choose from. Windows 7 (and 8) also get a cumulative Monthly Rollup with security, non-security and IE 11 fixes, and a Security-only package of new security updates that doesn’t include patches from previous months (or IE updates, so if you want those without taking the Monthly Rollup, you need to install the separate IE cumulative update).
They’re both marked as ‘required’ security updates because they both have the full set of security fixes, so you should pick one type of update to install and stick to it. Now that Windows 7 is in extended support, the Monthly Rollup rarely includes fixes that aren’t security updates — and of course, extended support for Windows 7 SP1 and Windows Server 2008 R2 ends on January 12 2020.
SEE: Top cloud providers 2019: A leader’s guide to the major players (Tech Pro Research)
The Monthly Rollup and Security-only packages have only been available since October 2016, which means older PCs can have a confusing mix of updates applied depending on which model you’ve been using. That caused a problem in August 2018, for example, when the security update could only be installed on PCs with the September 2016 version of Windows Update. Even if you’d installed all the monthly security-only updates, you wouldn’t have had the right version of Windows Update. Microsoft tests updates on systems that already have all the available previous updates applied, so if having a different mix of updates installed is going to cause a problem, you’ll have to find that out by testing on your own systems.
Smaller, less chatty updates
With Windows 10, all the Patch Tuesday fixes are bundled into a single cumulative update that includes security patches, new drivers, plus quality fixes and updates to OS components like IE 11.
The Latest Cumulative Update each month includes all the changes from previous updates, in case you missed a month. That means if you set up a new PC, it doesn’t have to download multiple packages from Windows Update to get the latest fixes. But it also means the cumulative update gets bigger every month because it includes compressed versions of every component and binary that has changed in Windows since it was released: the first month it might be 100MB or 200MB, but after six months it will be up to a gigabyte or more.
To stop that using up too much network bandwidth (especially for branch offices), Microsoft has also been offering delta updates with just the components that have been changed in that month’s update that will only install if the previous month’s update is installed (typically 300-500MB in size), plus an express update option that contains compressed deltas of all the changed components and binaries for every monthly release back to RTM.
The PC exchanges details with Windows Update or Windows Server Update Services to find out which components need to be updated and which specific delta updates they need. Then it downloads just those updates and decompresses them to apply them. That works even if the previous month’s updates haven’t been applied, and it doesn’t take as much network bandwidth as the full cumulative update (typically 150-200MB per PC). However, it does use a lot of memory and CPU bandwidth on the PC to discover and install the update, and the storage files on the server are large (typically 4-8GB).
Delta updates are available for versions 1607, 1703, 1709 and 1803 of Windows 10 but only until April 9th, 2019; they’re going away because third-party update managers like IBM BigFix can now use express updates.
And for Windows 10 version 1809 onwards, there’s a new, smaller update package that uses much less CPU and memory on the PC, as well as less network bandwidth and server storage. This is what Windows Update now uses: the new update format is also available as a CAB file for WSUS and as downloadable Update Standalone Installer (.msu) files from the Microsoft Update Catalog that will work with MDM tools like Intune, replacing the delta, express and full update options.
Instead of containing compressed deltas for changes from month to month for every component that’s been updated, the new smaller updates only have the deltas to go back to the original released version of the component and then forward to the new version. So if the TCPIP.SYS file from 1809 needs to be updated in May 2019, instead of having deltas with the changes from April, March, February, January, December, November, October and the original September version of the file to choose from, the update will just have the delta to switch back to the 1809 release version of TCPIP.SYS and then to update it to the new May version.
Because the cumulative update is marked as a required security update, the PC needs to reboot to complete the installation. On-demand updates are also cumulative, but they are often marked as non-security updates and don’t require a reboot. If you use automated deployment tools like Windows Server Update Service (WSUS) or System Center Configuration Manager rather than Windows Update or Windows Update for Business and you’re only looking for updates classified as security updates, you’ll miss on-demand updates (you can either make a new rule or wait till they arrive in the next Patch Tuesday update).
Updates to the .NET Framework are distributed as separate packages, with their own cumulative updates. Updates to Windows Update itself (what Microsoft calls ‘servicing stack updates’) aren’t included in the monthly cumulative update either, which makes more of a difference if you use WSUS and the Update Catalog. To make sure they’re applied, they now count as security updates and have a severity rating of Critical.
For Windows 10, there’s a list of what’s included in the Patch Tuesday and on-demand updates with notes about any known issues.
SEE: Serverless computing: A guide for IT leaders (Tech Pro Research)
Internally, the Patch Tuesday updates are known as the B release (B for the second week of the month); there are also optional C or D releases of non-security fixes that come out on the third or fourth Tuesday of the month. These are updates that have been through the full validation program and they’re ready to be used in production. Microsoft says the D release usually includes the majority of non-security updates that will be included in the following B release, so if you want to get them early for testing, click Check for Updates in Windows Update on or after the relevant Tuesday.
Usually the C release is for older versions of Windows 10, which might need more testing time (because if you weren’t concerned about compatibility issues you’d presumably have upgraded them to more recent versions). In the month or two before a new semi-annual feature update (typically March/April and September/October) there are usually fewer fixes needed, and previews for the current version of Windows 10 are ready in time for the C release in the third week of the month.
The C and D releases include all the fixes from the previous B release, to make sure you’re testing them on a fully updated system, but they’re not marked as either required or security updates, and you don’t need to reboot to install them.
The feature and quality updates are also available through the Windows Insider Release Preview ring, which is less for companies to test them out and more for the Windows team to get telemetry on how well they work on PCs beyond the various test labs that Microsoft runs internally and externally.
There are four levels of testing. The pre-release validation program installs updates on the current release of Windows to check for problems. The depth-test pass uses automated and manual testing on the code that’s being changed to look for regressions or new issues caused by the changes. The monthly test pass is broader regression testing done on a wide range of PC and server hardware, peripherals and applications in Microsoft and third-party labs. And after release, Microsoft does live site validation testing of the B release to make sure that it’s visible through Windows Update and is downloading and installing correctly.
None of those ways of getting updates early give you security fixes, because Microsoft is understandably cautious about distributing security patches that attackers could reverse engineer to find out what holes are being patched and attack Windows users before the fixes come out. The only way to get an early look at the security updates that will be in the Patch Tuesday B release is to be one of the larger enterprise customers and software vendors who are invited to join the Security Update Validation program so they can test out the B release security patches in their own labs to check for compatibility problems.