Microsoft switched how updates are delivered to the client operating systems Windows 7 and Windows 8.1 — and also server operating systems — in October 2016.
Updates were provided as individual patches, and classified as security or non-security updates in the past. This meant that users and administrators could pick what they wanted to install on the system; excellent to avoid any Telemetry updates or other updates designed to introduce unwelcome functionality or changes to the operating system.
Also, great for troubleshooting as it meant that you could remove problematic updates while keeping every other update installed.
From October 2016, updates are delivered as so-called rollup patches. Microsoft offers a security-only rollup patch which includes only security updates, and a monthly rollup patch which includes security and non-security updates.
While the system is not in full swing right now, individual security patch downloads are still available on the Microsoft Download Center, it leaves users and administrators with just three choices:
- Block all updates.
- Install only the Security rollup for each month.
- Install the monthly rollup.
So, if users or admins select to install only security rollup updates, they won’t get any of the non-security updates.
There are two issues with the way these things are handled apart from the obvious one that users won’t be able to install feature updates that they want, unless they install any other patch that Microsoft adds to the rollup updates:
- Will Microsoft separate security and non-security updates strictly?
- How are fixes for bugs that security updates introduce handled?
Clear distinction between security and non-security updates?
Security updates should be included in the security rollup for each month, and non-security updates in the monthly rollup.
Users who want to keep their system secure can do so in theory by only installing security patches. The past has shown however that Microsoft did include non-security updates in security patches.
In March 2016, it released MS16-023 which installed new “Get Windows 10” functionality along with the security fixes.
Since it has been done before by Microsoft, there is a possibility that the company will push non-security updates by adding them to the security rollup patch for a given month.
To play devils advocate, Microsoft could add Telemetry patches to the security rollup update. This would put users and administrators who install only the security updates in a position that they cannot escape from. Either install the security rollup to keep the system secure but deal with the unwanted patches, or don’t and leave the system open to attacks.
Fixes for bugs that security updates introduce
How will Microsoft handle bugs that are introduced by security updates? Will Microsoft add patches for those bugs to the security rollup of the month, or will it add those only to the monthly rollup update?
The former would mean that non-security updates are added to the security rollup update, the latter that users who only install security rollups won’t get those patches.
The security update MS16-087 introduced a bug that prevented “pushed-printer connections and printer connections from trusted servers from being installed in Point and Print scenarios”.
If you check the changelog of the November 2016 monthly rollup preview which Microsoft published on Tuesday, you will notice that it includes a fix for that issue.
There is a third possibility, but it seems unlikely: Microsoft could update the security patch so that the issue that it introduces gets fixed by it.
Now, that does not mean that the update won’t be added to the security rollup update for November for affected operating systems. We don’t know if that will be the case, but will monitor the situation closely. (via Ask Woody)
Now You: What’s your take on these updating changes?