Microsoft fixes problems with Win7/8.1 "Group B" security-only patching method

Topic

New Reply

Yes, MS has acknowledged the problem with fixing security-only bugs in non-security monthly rollup patches. And, yes, they say they’re going to fix it[See the full post at: Microsoft fixes problems with Win7/8.1 “Group B” security-only patching method]

Reply | Quote

Replies

Well done and three cheers for Woody (and others) who publicised this problem. Group B is still viable. The W Bench will have to wait a little longer for me.

Reply | Quote

With all due respect, i don’t agree with your conclusion
i believe this change only affect the Security-Only Updates metadata and how they are managed in WSUS or SCCM
it doesn’t necessary mean the non-security bugs that are presented in security updates will be fixed in security updates

but, let’s wait and see

Reply | Quote

Yes, but it looks like there won’t be any cross-feeding of fixes to bad patches.

When metadata changes, we can advise manual downloaders that they should re-download a fixed Security-only update.

But, as you say, let’s wait and see…. At least MS acknowledged the problem!

Reply | Quote

By the way… any idea which bug in the October Security-only patch was fixed in November?

Reply | Quote

My interpretation of this article is different from Woody’s. The thrust of the article is about supersedence relationships, not bug fixes.

The sentence “An update to previous security only updates will be released as meta data only for the changes to take effect which will require a Software Update (or WSUS) synchronisation” might indeed be newsworthy because it indicates that security-only updates might be reissued. However, it’s possible that the reason a security-only update might be reissued is because it doesn’t properly fix the security issues it claims to. And even if this sentence does in fact mean that Microsoft might fix non-security issues caused by security-only updates, I don’t interpret this sentence as meaning it’s a guarantee that Microsoft will always do so.

I find the sentence “This allows customers to […] Periodically deploy the Security Monthly Quality Rollup and only deploy the Security Only updates since then” as newsworthy because it seems to indicate that people can jump from Group A to Group B without first uninstalling the monthly rollup(s). For example, if you installed the November monthly rollup, you could install the December security-only update without first uninstalling the monthly rollup(s).

Reply | Quote

Interesting. Yep, I see where you and Abbodi are coming from.

Of course, we won’t know for sure until we’ve seen it work for a few months.

Reply | Quote

Metadata usually just change the detection rules, not a revised binaries

there are no known bugs in the October Security updates

you are looking to it from a different point than the described point in Scott Breen’s blog
the Monthly Quality Rollup is cumulative, which mean that October security fixes are included in November Rollup. which also mean that October Security Only update is included in November Rollup.
that’s it, it’s only about the Supersedence Relationships metadata, not bugs.

at least that’s my understanding

Reply | Quote

+1

Reply | Quote

We’ll have two test cases next Tuesday: a) Does the December security-only update fix the MS16-087 bug b) Does the Windows 8.1 December security-only update fix the “Addressed issue with the boot partition appearing in File Explorer after installing MS16-100” bug fixed in the Windows 8.1 preview monthly rollup.

Reply | Quote

The way I read it:

Monthly Rollups will be superseded by following Monthly Rollups.

Security-only Updates will not be superseded (since they are not cumulative).

If you install the Monthly Rollup, the previous Security-only Updates will not be applicable (metadata change) since they would be redundant.

Up till now, I believe to be in comp;iance, both would have to be installed.

Reply | Quote

Good point. I have hope.

Reply | Quote

I will not jump from C to B yet. I will wait and see as you suggest. When and if it appears that B is practical for the average Jane/Joe, I will jump.

I await your confirmation

Reply | Quote

I may have jumped the shark. Abbodi and MrBrian’s comments have me concerned that I gave Microsoft too much credit. We won’t know for sure until the next batch (or two) of rollups appear.

So settle in on the Group W bench and let us know who else you find there… father stabbers…

Reply | Quote

Sorry Woody, abbodi86 is right on the money.
The blog post from Microsoft is only about separating the 2 streams from a supersedence point of view, which I believe will revert to the October 2016 behaviour.
This affects only those using WSUS or System Center Configuration Manager.

Reply | Quote

I find it interesting that those more technical of us who actually do research and test thoroughly and understand well the CBS and to a large extend telemetry are in favour of Group A style of updating, while everyone else, with few exceptions, tend to be confused by all this distraction which is the telemetry.

Reply | Quote

Oy. I sure hope my overly-optimistic take on the situation turns out to be true.

I don’t see how they can fix the supersedence problem without fixing the underlying mix-up in patching – but then again, I don’t see how they started doing this in the first place.

Reply | Quote

“Up till now, I believe to be in compliance, both would have to be installed.”

That was the case for October 2016 and changed in November 2016. Based on what I read, I think the supersedence metadata implementation will revert to the October 2016 model.

Reply | Quote

I think, simply stated, the people who paid for Win7 feel that they’re getting ripped off by the telemetry. Microsoft could make this so much simpler if they would either (a) document what they’re transmitting or (b) give us a big telemetry OFF switch.

Reply | Quote

In the real world out there.

1, IF people have read about this mess, most do not do any updating at all any longer.

2, IF they have not read about this, they just let Windows update do what it always did.

3. If their computers have not been updated for some reason and they do not know about it, they will do nothing and effectively they are C. This is a surprisingly large group. Most of it is because WU stopped working properly many months ago and they just are not aware of it. They may be seeing slow performance, but will probably just give up using the computer eventually because it does not perform

Reply | Quote

IF they (Windows 7 owners) even know about what is happening, and that is big if (but a very small group), you are correct.

I sure feel ripped off.

I thought I had a very nice computer I invested in with the understanding that Windows 7 would be there for the foreseeable future — at least till January 2020. What makes matters so much worse for me is that on that premise, I strongly recommended the same to so many people who have invested thousands of dollars of hard-earned money and I now know that I misled them badly.

I never dreamed Microsoft would turn into this really bad actor. I guess I have been too much of an optimist, like you, Woody.

My role was to help them get the most out of their investments. Now my role will be finding ways to keep their computers running safely and if and when the day comes when it they are not safe, help them find an alternative.

I do not know a single soul, and I know a lot of souls, who will ever buy a Microsoft product again.

Reply | Quote

Another major contributor to Group C comes from pirates. There are millions of pirate copies of Win7 out there. Folks who live in North America may not realize how rife the rest of the world is with functional, pirated copies of Win7.

Reply | Quote

See the comments at Microsoft’s blog post also.

Reply | Quote

I believe the Nov change made the Rollup supersede tne security-only Update.

I think this change implies that if you have the Rollup installed and then try to install the security-only Update, that the latter will just not be applicable to your computer (like trying to install a 32-bit update on a 64-bit machine), not superseded by the Rollup. With the Rollup installed, the security-only Update is no longer required.

The diagram doesn’t show Rollups supersede security-only Updates. Only later Rollups supersede older Rollups.

Reply | Quote

And still pirated copies of XP!!!

Reply | Quote

And what the heck are BETA updates?

This morning my WSUS server suddenly notified me of these new updates:
– Security Update for Microsoft .NET Framework 3.5.1 and Windows 7 SP1 Beta x86 (KB2416754)
– Security Update for Microsoft .NET Framework 3.5.1, Windows 7 SP1 Beta, and Windows Server 2008 R2 SP1 Beta for x64-based Systems (KB2416754 )

Have they changed the naming again or is this something new?

Reply | Quote

I think the father stabbers on on the bench marked Micro…

Reply | Quote

I don’t think they have anything to fix, it is only about the interpretation of the 2 categories of patches, i.e. if they are to be considered equally valid (October 2016 approach), or as it is my preference and it would be logical, the Security Monthly supersedes the Security Only (November 2016 approach).
It appears that someone in Microsoft decided for the October 2016 approach, but this would affect only managed environments, as WU will still publish only the Security Monthly update.

Reply | Quote

Yes, this was discussed a lot on this site and I understand your and most other readers point of view.
I tend to follow the practical path though and not to look back.

Reply | Quote

Yep.

Reply | Quote

Funny enough, I think the pirates have reached such a level of expertise in pirating Windows that they can keep updating. There is enough information in the public domain and this would rather indicate that there are no longer such restrictions to updating pirated copies like they were during Windows XP time.
But there may be those pirating Windows who do not update on principle.

Reply | Quote

Excellent questions. Let’s see what Scott says.

Reply | Quote

If you check the dates of the updates, you will understand. They were updates for the beta versions of SP1 for Windows which have never been expired from the WSUS reference repository. One of the reasons for the current slowness in scanning for updates without having specific patches installed.

Reply | Quote

@ woody ……. To me, Group A & B are actually Group O, ie the Outer Party in George Orwell’s 1984, similar to the blood types, A, B n O.
……. I doubt those in Group C or W, like Canadian Tech, are like father stabbers, father rapers or mother rapers.

Reply | Quote

Here are some of the comments:

Scott Breen: “If a problem with the update itself is identified and not a known issue, a revision of the update might be released which resolves the problem. As I said, case-by-case.”

Brian: “As an example, there were non-security issues identified with security update MS16-087 which were addressed in the November monthly rollup, but not in the November security-only update. Was it intentional that Microsoft did not fix this issue in a security-only update?”

Scott Breen: “Hi Brian, as I said they are assessed on a case-by-case basis – I’m not provided with specific information about decisions – I’d tell you if I could! In this case it would seem that the solution was provided via the rollup. Organisations will continue to get the best possible Windows experience if they apply the monthly rollups in their software updates process. If you do want more specific information about the solutions for that problem you’d be best off logging a support call.”

Reply | Quote

Argh.

I’ll take this to Microsoft’s PR agency when I wake up.

Reply | Quote

Reply | Quote

In October 2016, the Rollup did not supersede the Security Only, they were equal and sitting side by side in WSUS. To be fully patched in the WSUS sense, both were supposed to be applied, which is not a normal situation, as the Rollup include the Security Only. However, when installing the Security Only after the Rollup, it was only the flag in WU which was updated showing that both are installed, because in the background, the Component Based System (Servicing Stack) would not allow components already installed to be reinstalled. So this was only a cosmetic issue.
It is counterintuitive, but this is how it is designed and WU looks at the supersedence metadata, while CBS looks at the actual components to be installed, being authoritative from this point of view.
I learned this mechanism in the finest details from abbodi while discussing here and on MDL and I can confirm that it is correct.

In November 2016, the metadata (in WSUS and while installing manually from the catalog) was handled differently. The Rollup superseded the Security Only and I think this is the most correct approach.

However, as I understand from the MS blog, due to requests from sysadmins who install Security Only, someone in MS decided that from now on, the behaviour from October 2016 will be implemented.

Unfortunately there is no totally correct treatment of the supersedence, as the system was not designed to cope with two overlapping patches. This can be resolved completely in only 2 ways:
1. Revert to previous behaviour with discrete patches
2. Remove Security Only patches which do serve little purpose (other than selling some people which are in small numbers, an illusion and likely more important, to keep some enterprises happy) and release only one patch, i.e. the Rollup, which is exactly what every other software company does.

As long as there will be overlapping patches released at the same time, this supersedence dilemma will keep existing without a satisfactory solution for everyone.

Reply | Quote

I am convinced that your analysis from few weeks ago that the B model is not viable without having access to the enterprise tools WSUS, SCCM or equivalent or better third-party tools is entirely correct.

Reply | Quote

Sadly, I’m starting to think the same way. Breen’s responses to MrBrian’s questions have been quite disheartening.

Reply | Quote

This one:
“Organisations will continue to get the best possible Windows experience if they apply the monthly rollups in their software updates process.”

Reply | Quote

Yep. That’s what bothers me.

Reply | Quote

Woody, I am quite surprised that you still believe “pirates” cannot update their Windows 7 installations.

The current available tools for pirates are quite sophisticated that they work exactly like the real version. They can even survive a motherboard replacement without the need for Windows reactivation.

This is no longer the Windows XP days. The pirates may choose not to update their Windows installations, but it is certainly not because the system cannot update.

Reply | Quote

Back to the Group B issue.

It seems to me, sadly, that I must agree with others here that the Group B approach may not be (completely) viable, if Microsoft will only fixed problems found in security-only patches with rollup patches.

As I said before, I will have to adopt a part Group B, part Group C approach going forward. I will never opt for the rollup patches, and any security-only update that is found to cause problems for me will not be installed.

Reply | Quote

Group A, B, C, W,Z!!!!!!
I am in Win7 Group B and would appreciate someone telling me what the hell I should do about and with updates.
I am now at the point where I will not do any more updates unless Woody or someone else can advise me what and how to do it.

Reply | Quote

If it’s true that Microsoft won’t fix non-security bugs in security-only updates with security-only updates, then I think the use case for security-only updates is for people who want to get Windows non-security bug fixes regularly but less often than every month. For example, a user who wants Windows non-security bug fixes every 3 months would install the monthly rollup once every 3 months, while continuing to install every monthly security-only update. If the user encounters an issue which is fixed in a monthly rollup, the user might not wait the full 3 months to install the monthly rollup. To save disk space, this user should periodically uninstall old security-only updates, perhaps those 6 months or older. We could call this group of users Group D or perhaps Group N (“N” for “installs the monthly rollup, but Not every month”).

Reply | Quote

There is telemetry if you are using Windows Update services. See “Update Services Privacy Statement” (http://fe1.update.microsoft.com/microsoftupdate/v6/vistaprivacy.aspx). It’s not clear to me what telemetry there is when using Windows Update manually with setting “Never check for updates”.

Reply | Quote

But I would guess it’s something very, very few customers would want to tackle.

Right now I’m waiting for a clearcut case of a Security-only update with a bad bug. At that point, we’ll know if MS is going to put up or shut down.

Assuming there ever is a bad bug in a Security-only update, of course.

Reply | Quote

You’re doing exactly the right thing… nothing!

Wait for the MS-DEFCON level to change. At that point we’ll have more info about the viability of Group B.

Reply | Quote

And you’ve hit the problem on the head.

Microsoft may not commit to fixing Security-only bugs with Security-only patches, but they may just go ahead and do it. We don’t have enough info at this point to tell for sure – Security-only patches started in October, and I haven’t seen any significant bugs in October or November. Even if one cropped up in the November bunch, we wouldn’t know until next week if it’ll get fixed in the December Security-only patch.

With Brian’s questioning, Scott Breen has said that bugs will be fixed on a case-by-case basis. We’ll just have to see how MS handles things when the offal hits the fan. If it ever does.

For now, I’m cautiously optimistic that MS will do The Right Thing – and I suggest that those in Group B not throw in the towel. Yet.

Reply | Quote

It’s been nearly three years since I was immersed in pirate software, so I may be hopelessly out of date. But I thought nearly all pirate copies of Win7 shipped with Automatic Update set to Never check.

Not so?

Reply | Quote

Scott Breen’s profile indicates that he is a Premier Field Engineer but his responses read as if they were drafted for him by the PR department!

Reply | Quote

Also note that the responses were carefully worded to targete”Organisations”, not “users” or “consumers”!

Reply | Quote

I’m guessing that the following procedure would be about the best way to stay in group B, while avoiding problematic patches:

1. Do a backup immediately before installing the security-only monthly update.

2. Install the current security-only monthly update.

3. If things go south for you as a result of the update, then restore from your most recent backup.

4. From now on, skip the security-only monthly update which caused your machine to go south.

By doing things in this way, you will have most of the security-only patches. You will skip only those months where problems occurred. Of course, if Microsoft fixes the problem that caused your PC to go south in a future security-only update, you could always go back and install the one which caused the problem, then install the fix for it.

Reply | Quote

I would only add…

1a. Wait. You don’t need to install the Security-only update as soon as it’s released. Wait for the MS-DEFCON rating to change – after the cannon fodder has taken the first volley.

Reply | Quote

Yep. That and the admonition to open a support ticket speaks clearly to the corporate crowd.

Reply | Quote

You can bet that we were at least glanced at – and possibly entirely vetted – by WagEd, and likely the legal department. I think that’s standard procedure now, outside the Answers forum.

Scott’s in Australia, as best I can tell.

What worries me is that many unofficial posts, from people who don’t work directly for Microsoft, are also being vetted by WagEd.

Reply | Quote

+1 Jim4
We’ve been doing this since Jan 2016 pre-patchopocalypse image, saves the angst and your system from timely fixing etc..

Windows - commercial by definition and now function...

Reply | Quote

I have said it in few places here, the Technet site was never meant to be used by “consumers”, although Power Users can find it useful. For the non-technical people, it only adds to the confusion. The same applies to MSDN and most Microsoft blogs.

Reply | Quote

The Security Only patches are released only to keep the security people and security assessment engines happy. They are not meant to keep Windows in top shape and this explains exactly why Security Only patches are not fixed by other Security patches. The Security Only patches fill security holes only, with little regard for functionality which becomes secondary to the purpose.
Windows is a system and in a wider sense Windows Server is a whole eco-system which works together with other Server products and designed as such. You can find elements and technologies from the other products in the Windows versions, like Windows Internal Database (cut down version of SQL Server).
There is no possible separation between categories of patches and as I said, the Security Only patches are just a hack to keep the too many compliance mechanisms quiet.

Reply | Quote

The uninstallation of superseded components is performed normally by Disk Cleanup which has the logic to do this already built-in. The old patches can be manually uninstalled, but in such a case Windows Update should be run until the newer patches or the required components are brought back in the system if those uninstalled were not completely superseded.
Note: This procedure is needed sometimes after running Disk Cleanup, but it is mostly for cosmetic reasons in such a situation.

Reply | Quote

Check C:WindowsWindowsUpdate.log for a view of what is accessed, at least of what is logged as being accessed.

Reply | Quote

I am exploring options to decrease the amount of telemetry information I might involuntarily be sending anywhere… so am researching and applying changes that suit me. This has been getting increasingly more complicated over time.

So… I started keeping a (handwritten-non-techie) journal as I make this or that change, or check this or that setting. It started back when I was avoiding the GWX debacle, and needed to quickly reference what I did and did not have installed as I researched just what was going on, on various websites. I’m cautious, but willing to explore in order to stay true to my values and needs. Some of what becomes confusing in following the discussions is knowing how what is being discussed effects my personal computer… or if it even applies to it. It has saved me a great deal of time to know which version of Windows 7 is being discussed (ex-no longer spending time searching for something that wasn’t available to my system in the first place).

My question is this… is there already a way to keep track of the changes I make built into Windows 7 Home… and if there isn’t, is there a better way to be tracking these things… and just what are the best practices in this regards?

I have adequate backup and restore, so it isn’t a matter of returning to where it worked better, but rather tracking from the default settings the changes I’ve made.

Reply | Quote

I have a spreadsheet with a description of the changes that I made to my computer, by date.

Reply | Quote

Woody, what is WagEd?

Reply | Quote

@Canadian Tech:

IMHO this very difficult situation was deliberately and methodically created to ENSURE that it would “FAIL” and drive Win 7,8 & 8.1 owners to be forced to find other “alternatives” (for lack of a better term) with only ONE PRIMARY objective — that of ruining the OS’s these users have bought and paid for.

It is very clear where this is headed (and has been from “day one”, which is years ago).

I’m sure that many, many others share this opinion as well, unfortunately we’re all “between a rock and a hard place”.

Hoping there will be a “miracle cure” for this absolute “MESS”. GOOD LUCK TO US ALL!!

Reply | Quote

WagEd = Waggener Edstrom, Microsoft’s PR company. They are very tightly interwoven into the MS fabric.

https://en.wikipedia.org/wiki/WE_(firm)

Reply | Quote

Does that mean that I am being vetted by WagEd??

Reply | Quote

Ooops. Typo on my part. I meant to say “they” – meaning the posts – were vetted.

Reply | Quote

I’ve been pretty outspokenly criticizing MS here and in the Answers forum.

Reply | Quote

I have only some recent experience with the current tools, and as far as I can see, they can activate Windows (any version including Enterprise using suitable tools) and make it work like the real thing. They can also access Windows Update and download and install any updates without problems. And as I said above there is no need to worry about Windows reactivation even after a major hardware change like a motherboard replacement.

So I can assure you that these tools really work.

I have no idea about how those copies are configured regarding Automatic Update, though.

Reply | Quote

Wow. I’m impressed!

Reply | Quote

You have nothing to fear. They won’t touch your posts, even on Microsoft fora.

WagEd and I go back a long, long way.

Reply | Quote

“…if they apply the monthly rollups in their software updates process.”

That’s the key phrase…

When I worked in IT for a large financial services company, updates were never pushed out until the following month…in effect, creating a “customized” rollup.

Doing a full disk image backup before applying any updates (individual or rollup)is prudent in case things go sideways.

Removable consumer drives are cheap and there is a large selection of free and paid imaging software (i.e. Macrium Reflect, Image for Windows, on and on).

Really no excuse if an update/rollup hoses your system back to the stone age.

My 2 cents…

Reply | Quote

Many thanks ch100
NOTE:
The optional tab ‘extensive telemetry’ stops too many things to keep track of and Windows Live Mail doesn’t play well, so I reverted to blocking ‘Remote Registry’ only on the Optional Tab (even though I had this service disabled)
All works as intended though.

Windows - commercial by definition and now function...

Reply | Quote

From my testing so far with the method given at https://www.askwoody.com/2016/care-to-join-a-win7-snooping-test/comment-page-1/#comment-110035, the information that KB2952664 might gather that is transmitted to Microsoft by Diagnostics Tracking Service is mostly a subset of what’s listed in Microsoft’s document “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields” (available from https://technet.microsoft.com/en-us/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics).

Reply | Quote

Alright. Let’s say the telemetry gathered by DTS is limited to those 34 pages of fields. Would you recommend “Group B” to folks who are sensitive about the kind of data collected? Realizing, of course, that DTS is a subset of the total amount of information sent.

Reply | Quote

Internet Explorer 9 has finally been expired for Windows 7 32-bit & 64-bit and Windows 2008 R2.

Reply | Quote

In my opinion, Group A should be fine (at least for Windows 7 users) for those concerned about telemetry in recent “bad” Windows updates, if you follow my advice at https://www.askwoody.com/2016/care-to-join-a-win7-snooping-test/comment-page-2/#comment-110623. If anyone has evidence that the advice given there is not effective or causes problems, please let us know!

Note: Some information transmitted by Diagnostics Tracking Service to Microsoft is not documented in Microsoft’s document “Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events and Fields”. You can judge the coverage by searching for each of the event types at https://www.askwoody.com/2016/care-to-join-a-win7-snooping-test/comment-page-2/#comment-110622 in Microsoft’s document.

Reply | Quote

So you’re saying that the Win7 telemetry generated by the newer updates isn’t individually identifiable, potentially privacy-busting data? I’m not sure how you can come to the conclusion….

Reply | Quote

It may or may not be potentially privacy-busting, but in either case for Group A I believe that its gathering and transmission to Microsoft can be stopped by following the advice I gave :).

Reply | Quote

Woody, it is easy to configure CEIP to Disabled and stop the 2 tasks under Application Experience which do not mention CEIP in description. This is consistent with MrBrian’s findings and abbodi and few other before.
After that, all telemetry is stopped.

Reply | Quote

@Woody:

How does a user create a “restore point” prior to checking for updates? Dumb question, however I’ve been trying to get the courage to ask it.

I’m a REAL Non-techie, and appreciate all of the help I can get. The acronyms in almost all of the e-mails are also confusing to those who do not understand what they are.

Thank you again, Woody, for all of your help!!

Reply | Quote

Go into Control Panel and in the upper right corner type

Restore point

Then follow the instructions.

Reply | Quote

Walker, I’m using Win7, I find the easiest way for me is to click on Start.

Type in the search box – create restore – all you should see at this point is “Create a restore point”.

Click on that and from System Properties the System Protection Tab will open, look for “Create” (at the bottom) and click on that.

You can type what description you want into the box e.g. Before Updates 12/12/16. Then click on Create.

Let it run and it will show you when it has completed.

gts

Reply | Quote

Walker, I see you have been given instructions on how to create a restore point.

While you have that window open where you can click Create, consider clicking Configure. You will then see another window open and have displayed the current allotment of space provided for restore points. Consider increasing yours.

The default in that allotment is likely around 1 to 3% of your hard drive capacity. In the vast majority of cases, users use only a small portion of that capacity, so there is plenty of space to increase the space allotment.

When it comes time that you need to do a restore, you may find not nearly enough restore points to choose from. It would be very nice to have more. Increasing the allotment will do that for you. I set my clients’ to a minimum of 5%.

Also, Windows Update, by design creates a restore point every time it updates, so if you create one, you will then have TWO at the same point.

Reply | Quote

Good points.

Reply | Quote

@Woody, GoTheSaints & Canadian Tech:

My apology for not being able to work with the computer at the present time.

I picked up a &*(&^&%^% “bug”, and I’ve not been able to do anything for FIVE days now, and I don’t know when I will be well enough to try to address all of your messages.

Thank you all SO much for your very helpful comments. I don’t know how much longer I’ll be sick. I hope and pray that it won’t be much longer. Thank you once again!

Reply | Quote

Looking at files in the relevant KB file lists, the answer to both questions seems to be no!

Evidence:
a) Updated version of file Win32spl.dll that almost surely fixes MS16-087 in Windows 7 November monthly cumulative rollup (see https://www.askwoody.com/2016/is-microsoft-now-fixing-security-patch-bugs-with-non-security-patches/comment-page-1/#comment-106944) and probably also fixes the issue for other operating systems is not present in any of these December security-only update file lists:
https://support.microsoft.com/en-us/kb/3205394
https://support.microsoft.com/en-us/kb/3205400
https://support.microsoft.com/en-us/kb/3205408

If you want more evidence, you could try the method from https://www.askwoody.com/2016/is-microsoft-now-fixing-security-patch-bugs-with-non-security-patches/comment-page-2/#comment-107790 on the December security-only updates (I didn’t).

b) None of the 3 files listed for Windows 8.1 at https://support.microsoft.com/en-us/kb/3172729 are present in Windows 8.1 December security-only update https://support.microsoft.com/en-us/kb/3205400. An updated version of file Tpmtasks.dll that appears in December monthly cumulative rollup https://support.microsoft.com/en-us/kb/3205401 apparently fixes the MS16-100 Windows 8.1 bug.

Reply | Quote

As a test, I installed the Windows 7 December security-only update, then installed the December cumulative rollup, then used Disk Cleanup to remove superseded updates, then rebooted (for the updates cleanup to actually take place). The December security-only update was still listed in the list of installed updates.

Reply | Quote

Security-only update components have not changed, they still at the same level with Month;y rollup
only the applicablity andlogic is changed, and this change only affects WSUS and other tools relying on it
for the system and WU, both updates will still applicable

Reply | Quote

How many different types of supersedence exist in regards to Windows updates and Microsoft’s update-related tools?

Also, if I may ask, what free available tools do you recommend for exploring .msu files, and technical information about Windows updates already on a system? I know about CBS Package Inspector already.

Reply | Quote

I only have knowledge or can determine the supersedence on CBS level, i’m not familiar with WU/WSUS metadata logic

i only use 7-zip and Notepad2 to explore the updates packages, along with a local repository for all .manifest files from non-superseded updates

Reply | Quote

@abbodi86: Thank you for your reply :).

For anybody interested in information about CBS Package Inspector, see https://blogs.msdn.microsoft.com/windows-embedded/2012/12/05/powertoys-make-life-easier-cbs-package-inspector/. Download: https://twitter.com/tfwboredom/status/561600460654911489. The file is digitally signed by Microsoft, and it validates, so it should be safe to use.

Reply | Quote

Ghar fun, I didn’t install the November patch for Windows 7 on my main system and only just tried to install that. Got an error message from Windows Update, and when I did ‘retry’ it started downloading the 3 updates for December. – Uh, not on my watch, buddy.

But that at least shows how it’s doing that, you miss out on one month’s patch, the next month you cannot install that one anymore, it’ll just jump to that month’s patch.

Reply | Quote

You’re talking about the Monthly Rollup patches – the Group A patches – right?

Reply | Quote

@MrBrian,

Your suggestion of a Group D/N (which installs the comprehensive monthly rollup only occasionally, perhaps every 3 months or so, in order to get some of the security-only-patch-bug fixes, and which intalls the monthly update in all the other months) is just a complicated way to be in Group A, because the telemetry and other stuff that Group B is trying to avoid is contained in the non-security parts of the comprehensive monthly rollups, and Microsoft has said that the monthly rollups are going to become fully cumulative (including all historical patches that MS deems appropriate for the system in question) in only a few months’ time, so being in Group D/N is basically equivalent to being in Group A + extra hassle.

Reply | Quote

@Canadian Tech,

You didn’t mislead your flock, you gave them what was good advice at the time, which millions of other people were also fully confident in. Don’t feel guilty — there is no way you could have known.

No one could have known how things would have developed, probably not even many people who were at the heart of Microsoft just a few years back.

The last two years have been ridiculous, and it’s not as if what they are doing has been so smooth and technical and highly-skilled and deft and accomplished and beneficient and wise and error-free, though we rag-tag, non-researchy, Luddite consumers just haven’t been able to wrap our tiny minds around it.

For people who can see the forest for the trees, and who can see the ecosystem for the forests, it’s a different matter than simply deciding what is simplest and easiest and is less prone to complications on any given day in the near-term.

Reply | Quote

@Bezem,

When you use Windows Update to get your updates, you will only be shown the Monthly security+nonsecurity Rollup,
you will not be shown the monthly security-only Update (which is only available by manually downloading it from the Update Catalog).

Since you said you were working with Windows Update, you probably were dealing with the Monthly security+nonsecurity Rollups.

I think that the Monthly comprehensive security+nonsecurity Rollup is probably cumulative from October 2016 to the current month, so if you didn’t download November’s version of the Rollup when it was the available version, if the December rollup was already published when you tried to install November’s rollup, they would have offered you the December one because that is the current version of the same thing (just with some recent additions).

If you want to be able to install the security-only Updates month by month in a controlled fashion, you will need to follow Woody’s instructions on going to the Update Catalog to manually download them.

Reply | Quote

I agree with the technical parts of what you wrote, and I also agree that it’s probably too much of a hassle to be in what I’ll call Group AB, compared to being in Group A.

Reply | Quote

Type AB negative, anybody?

Reply | Quote

Also, from “More on Windows 7 and Windows 8.1 servicing changes” (https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/), Microsoft states that “You install all security and non-security fixes as we release them […] is our recommended updating strategy, as it ensures that all fixes for Windows are deployed on the PCs that you manage.”

Reply | Quote