[German]Microsoft will change how Security-only rollup updates for Windows 7 SP1, Windows 8.1 and corresponding server versions are delivered.
In a Technet blog post Simplified servicing for Windows 7 and Windows 8.1: the latest improvements, Nathan Meyer from Microsoft detailed further changes in Windows Updates. The changes of servicing model are for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Customers using Windows Update and connected directly to Microsoft for updates (such as consumer PCs) will not be impacted by these changes, while enterprise customers using update management tools can benefit from these improvements.
Since October 2016 Microsoft has changed the servicing model for the operating systems mentioned above (see also my blog post Windows 7/8.1-Update: What to expect from October onwards). Updates for these versions of Windows have been released using a rollup model:
- Security Monthly Quality Update (aka the Monthly Rollup) – New fixes are rolled into a single update, which includes both security and reliability fixes, as well as all fixes from previous rollups. Each new Monthly Rollup will supersede the previous, so installing the latest Monthly Rollup will ensure you have all fixes since the start of the model in October 2016. For example, the December 2016 Monthly Rollup contained all the fixes in the October and November Monthly Rollups.
- Preview of Monthly Quality Rollup (aka the Preview Rollup) – New reliability fixes are first released in an optional Preview Rollup that enables early deployment of the new reliability fixes before they are included in the next Monthly Rollup.
- Security Only Quality Update (aka the Security Only update) – In an alternative option released to WSUS and Microsoft Update Catalog only, new security fixes are also provided in a single Security Only update, which rolls all the security patches for that month into a single update. The Security Only update does not contain fixes from previous months, and allows enterprises to download as small of an update as possible to remain secure.
For more information on these updates, and deployment scenarios, see Microsoft’s blog post. Both the Monthly Rollups and Security Only updates are available on WSUS and the Microsoft Update Catalog, and both are published with the “Security updates” classification, enabling enterprise customers using WSUS or other update management tools to sync and deploy both updates, depending on their settings. To further simply installation and deployment in this scenario, the servicing model was updated in December 2016 to better handle the Security Only update installation applicability (see also my blog post Windows 7/8.1/Server: New update schemes for WSUS/SCCM from December 2016 onwards).
Since December 2016, Security Only updates will not be offered on machines where a Monthly Rollup (from the same or later month) is already installed. AdditionallySecurity Only updates from earlier months (October and November 2016) were revised to leverage this applicability check, so it now applies to all Security Only updates released in the new servicing model. Finally, this applicability definition also checks for the installation of a Preview Rollup from the same or later month, which also includes the security fixes for that month.
The Security Only update contains new security fixes for the Windows operating system, which includes Internet Explorer. Before October 2016, updates for the latest supported version of Internet Explorer (IE11 for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 and Windows Server 2012 R2; IE10 for Windows Server 2012) were provided in a separate monthly update. From October 2016 to January 2017 we included any Internet Explorer fixes for that month in the Security Only update to allow you to also remain secure for the latest supported Internet Explorer version for your operating system, all by installing the single Security Only update.
Starting with February 2017, the Security Only update will not include updates for Internet Explorer, and the Internet Explorer update will again be available as a separate update for the operating systems listed above. With this separation, the Security Only update package size will be significantly reduced. But you will need to deploy and install the Internet Explorer update to remain secure for the latest supported version of the browser. The following table, provided by Microsoft, details the update servicing model.
|Update||Classification||Contents||Includes IE||Not applicable||Release|
|Security Monthly Quality Rollup
(aka the Monthly Rollup)
|Security Updates||New security fixes + non-security fixes from latest Preview Rollup + all previous Monthly Rollups||Yes||If a later Monthly Rollup is installed||Update Tuesday (2nd Tuesday)|
|Security Only Quality Update
(aka the Security Only update)
|Security Updates||New security fixes
(not including IE fixes)
|No||If a Monthly Rollup (current or later month) is installed||Update Tuesday (2nd Tuesday)|
|Preview of Monthly Quality Rollup
(aka the Preview Rollup)
|Updates||New non-security fixes + all previous Monthly Rollups||Yes||If a later Monthly Rollup or Preview Rollup is installed||3rd Tuesday|
|Cumulative Security Update for Internet Explorer||Security Updates||Fixes for IE11 (IE10 on Windows Server 2012)||Yes||If a Monthly Rollup (current or later month) or IE Update (later month) is installed||Update Tuesday (2nd Tuesday)|
With these two modifications for the Security Only updates (installation applicability and the standalone Internet Explorer update), enterprise customers using update management tools such as WSUS or System Center Configuration Manager will now have increased flexibility and simplicity in their deployments. Systems using Windows Update will not be affected from these changes.