Page 1 of 2

Handling of "Monthly Rollup" Patches starting October

PostPosted: 15.09.2016, 16:39
by DanielEckl
Hi guys,

sorry if this is already being discussed somewhere, my search didn't bring up anything useful.

Starting next month, Microsoft will not release individual patches anymore but instead will ship "monthly rollups", patch archives which will include all patches released for a platform. This will be for Windows 7, 8.1, Server 2008 R2, 2012 and 2012 R2.

https://blogs.technet.microsoft.com/win ... ndows-8-1/

I don't want to go into the disadvantages of not being able to cherry-pick patches, but I want to make sure that WSUS Offline Update is able to fetch and install these like it did with the individual patches up to now.

Maybe this new approach makes WSUSOA deprecated, if we easily can download the rollups manually and install them from USB stick or similar.

This thread should be about discussion the possibilities how to update Windows hosts that up to now have been updated with WSUSOA and what is needed to keep them up to date in the future. Please share your knowledge about that if any existing. Thank you for your help!

Regards,
Daniel

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 03.10.2016, 22:07
by Scott
Things I have been able to discern regarding the October patches.

The OS will have two options:
A. a cumulative security and feature rollup.
B. a monthly security only rollup - that is not cumulative.

The .NET Framework will also have the same structure
A. a cumulative security and feature rollup.
B. a (single) monthly security only rollup.

There will be other patches for IE, the serviceng stack, Flash, Microsoft Office, Windows Defender/SCEP, and more.

Either path will get the security updates installed.
if the security-only path is taken, each month must be installed; as they are not cumulative.

It looks like the three OS security+feature and the three security-only for October will be sequentially numbered KB articles.
one pair for Windows Server 2008 R2 and Windows 7;
one pair for Windows Server 2012;
one pair for Windows Server 2012 R2 and Windows 8.1.

Each monthly security-only update will only be available during that month.
The individual updates will not be available.

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 04.10.2016, 08:21
by DanielEckl
Thanks, Scott, that's a great overview. And it shows that it's still complicated enough to have a raison d'ĂȘtre for WSUSOA to handle those patch sets.

I hope to get developers attention here fast enough to get confirmation that I still can rely on WSUSOA

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 04.10.2016, 18:29
by boco
Each monthly security-only update will only be available during that month.
I don't believe that. If the security-only packages aren't cumulative that simply makes no sense at all...

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 05.10.2016, 07:59
by DanielEckl
boco wrote:I don't believe that. If the security-only packages aren't cumulative that simply makes no sense at all...


Hard to believe, but the original MS blog article quoted in my initial post says just that.
Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month.


That's pretty clear I think.

EDIT: After thinking about it, you might not strictly refer to the non-cumulative part, but related to "will only be available during that month". That would mean that I won't be able to download the security-only patches from the last months, because they have been pulled back, and the recent patches won't include them as well. Indeed that does not make that much sense and I'm not sure if the technet blog post says that.

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 05.10.2016, 23:49
by boco
You will have to install each month's security-only pack, probably even in correct order. It's like the security DVD with all month's patches they release, just that there's only one patch, now.

Yes, I referred to that part. The security-only packs from each month will be available to install at anytime, they just do not supersede each other. And since you can install single MUM packages with DISM (like it was done with extracting the WU Client from the July cumulative patch), there might even be a user-provided way to separate them, again.

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 14.10.2016, 09:35
by DanielEckl
Since Tuesday, the first monthly rollup for my systems (Server 2012 R2) is available at Microsoft (https://support.microsoft.com/en-us/hel ... te-history). I ran the DownloadUpdates.sh under Debian and checked if i can find any KB numbers connected to the October Monthly Rollup. I couldn't find any.

So until somebody proofs me wrong, I claim that WSUS Offline Updates are broken now at least when using Linux Download Scripts and at least for Windows Server 2012 R2, and probably also for Windows 7, 8.1, Server 2008 R2 and Server 2012.

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 14.10.2016, 10:18
by harry
package.xml (included in wsusscn2.cab from 2016-10-11) contains both URLs (KB3192392, KB3185331) for w63 and w63-x64, so they should be downloaded.

For w61 UpdateGenerator.exe downloaded the following (refer Windows 7 SP1 update history):
Code: Select all
[...]
2016-10-12 15:33:52 URL:http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/07/windows6.1-kb3167679-x86_65d2667a5a28c4a6a472ed85a8e39221f9f694da.cab [3518084/3518084] -> "../client/w61/glb/windows6.1-kb3167679-x86_65d2667a5a28c4a6a472ed85a8e39221f9f694da.cab" [1]
2016-10-12 15:34:55 URL:http://download.windowsupdate.com/c/msdownload/update/software/secu/2016/10/windows6.1-kb3185330-x86_f6a8a712a44b2fb443fb44c87ae49b3752f29296.cab [75452983/75452983] -> "../client/w61/glb/windows6.1-kb3185330-x86_f6a8a712a44b2fb443fb44c87ae49b3752f29296.cab" [1]
2016-10-12 15:35:05 URL:http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/09/windows6.1-kb3188730-x86_dd81f6ca103c4a1cc91ec40843f7e11575670b2e.cab [4296884/4296884] -> "../client/w61/glb/windows6.1-kb3188730-x86_dd81f6ca103c4a1cc91ec40843f7e11575670b2e.cab" [1]
2016-10-12 15:35:19 URL:http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/09/windows6.1-kb3188740-x86_ea6aef9eb3b2e367eb5d6b1dccf87d463944a05e.cab [4297390/4297390] -> "../client/w61/glb/windows6.1-kb3188740-x86_ea6aef9eb3b2e367eb5d6b1dccf87d463944a05e.cab" [1]
2016-10-12 15:35:57 URL:http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/10/windows6.1-kb3192391-x86_eb57ab91f0f988e87e34e06f2f5f4a92181daef9.cab [47098272/47098272] -> "../client/w61/glb/windows6.1-kb3192391-x86_eb57ab91f0f988e87e34e06f2f5f4a92181daef9.cab" [1]
2016-10-12 15:35:58 URL:http://download.windowsupdate.com/d/msdownload/update/software/uprl/2016/08/windows6.1-kb3182203-x86_4fe3bdfe0b0ae4678ec081103fe40173767fe73a.cab [344234/344234] -> "../client/w61/glb/windows6.1-kb3182203-x86_4fe3bdfe0b0ae4678ec081103fe40173767fe73a.cab" [1]
12.10.2016 15:36:19,00 - Info: Downloaded/validated 197 dynamically determined updates for w61 glb
[...]

Downloads for w61-x64 are accordingly.

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 14.10.2016, 12:56
by DanielEckl
harry wrote:package.xml (included in wsusscn2.cab from 2016-10-11) contains both URLs (KB3192392, KB3185331) for w63 and w63-x64, so they should be downloaded.

For w61 UpdateGenerator.exe downloaded the following (refer Windows 7 SP1 update history):
[...]
Downloads for w61-x64 are accordingly.


Thank you very much, harry! Your findings lead me to my mistake. I confused w63 and w61 and I was searching for the w2012r2 KB numbers in the w7 tree, which obviously couldn't show any match.

I now happily stand corrected and can confirm, that the rollup packages are being downloaded.

Re: Handling of "Monthly Rollup" Patches starting October

PostPosted: 15.10.2016, 21:51
by boco
Unfortunately, both the cumulative AND the security-only patches are downloaded, since both have the "security patch" rank. However, you only need one OR the other. Since I chose the security-only way, I started excluding the cumulative packs. Note it applies to .NET as well.