The different types of Windows update supersedence

Topic

New Reply

In the comments at https://www.askwoody.com/forums/topic/confusion-in-the-group-a-ranks/ there is a discussion about whether there are different types of supersedence that apply to Windows updates. I have more insights now that I’d like to share.

Let’s first discuss how the list of updates that Windows Update shows is generated. When you use Windows Update to check for Windows updates in Windows 7 (and I assume also in Windows 8.1), the following seems to happen (simplified version):

1. The Windows Update client gets a list of all applicable updates that are not installed on your computer.

2. Any updates in the list in step 1 that you had previously marked as hidden are removed from the list.

3. Any updates in the list in step 2 that Microsoft considers to be superseded by any other updates in the list in step 2 are removed from the list.

The first type of supersedence seems to relate to the above process of which applicable but not yet installed updates are shown to the user in Windows Update. This type of supersedence is declared by Microsoft and is listed in the Package Details tab of a given update at Microsoft Update Catalog; example: https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=270cb4c4-685a-4bf2-bd53-9c314d6ffc47. An important detail is that a given update might contain a newer version of all the components in another update, but Microsoft might purposely not consider the newer update to supersede (in this first type of supersedence) the older update. Let’s consider why with an example. The Windows 7 September 2016 Optional rollup update KB3185278 contains (among other things) a non-security update to Windows Media Player that updates Windows Media Player to v12.0.7601.23517. Windows 7 March 2016 security update KB3138962 contains an older version of Windows Media Player, v12.0.7601.19148. Yet the supersedence metadata for KB3138962 doesn’t list KB3185278 as superseding KB3138962, and there is a very good reason for this; if KB3185278 was considered by Microsoft as superseding KB3138962, then if both of those updates were not installed on your computer, security update KB3138962 would not be shown in Windows Update due to the presence of optional update KB3185278 in the Windows Update list, which would be a very undesirable result.

There seems to be a second meaning of supersedence involving components of an update that is distinctly different than the first meaning of supersedence and doesn’t seem to use the supersedence metadata mentioned in the first meaning. A usage of this second meaning: When trying to install a given update, it can be considered superseded because its components are superseded by components already on the computer. Another usage of this second meaning: From Disk Cleanup Wizard addon lets users delete outdated Windows updates on Windows 7 SP1 or Windows Server 2008 R2 SP1: “Therefore, after you run the Disk Cleanup wizard, you may be unable to roll back to a superseded update. If you want to roll back to a superseded update that the Disk Cleanup wizard deletes, you can manually install the update.”

I’ll leave you with a question for discussion that you may now be in a position to answer. According to the Windows 7 supersedence metadata for Internet Explorer cumulative update KB4036586, KB4036586 supersedes Internet Explorer cumulative update KB3185319. But yet on a Windows 7 computer with neither of these updates installed, after installing KB4036586 and then checking for updates with Windows Update, KB3185319 was listed as available, and manually installing KB3185319 did not give the message “The update is not applicable to your computer.” My question to you is: How is this possible?

1 user thanked author for this post.

Elly

Reply | Quote

Replies

I should have defined “supersedence” in the first post. If Microsoft has declared that Update A supersedes (first meaning of supersedence) Update B, it means that Microsoft considers Update A to replace update B. Microsoft has more information about supersedence at About Updates.

Microsoft sometimes changes the supersedence declarations for a given update. An example of this is Update to Supersedence Behaviour for Security Only and Security Monthly Quality Rollup Updates.

Reply | Quote

For the second type of supersedence, I referenced the word “components.” More info about components:

Understanding Component-Based Servicing

Servicing Windows: Part One

P.S. Comment from ch100 (my bolding):

“Generally it is supersedence which is revised, like what patches are obsolete for the benefit of the systems administrators and the Windows Update engine itself. This is the information that is available in the Microsoft Catalog under Package Details (you may need IE for this information to be visible).
The Component Based Servicing mechanism and I believe Disk Cleanup do their own checks and install/uninstall correctly based on the components (dlls in general) bundled in the patches and do not take in consideration the metadata supersedence, which explains why when only the metadata is revised, those who have already installed the patch do not need to do anything else.”

Reply | Quote

I think it’s just an oversight in the update mechanism. KB3185319 is considered superseded by the monthly quality rollups but not by the monthly security updates. Even though all of the components within KB3185319 may already be installed or superseded, the presence of the package itself is still evaluated.

KB3185319 can be installed but make no relevant changes if a later cumulative update is installed.

Reply | Quote

A test I did indicated that even though according to supersedence metadata KB3185319 is superseded by KB4036586, when KB4036586 is installed, a manual installation of KB3185319 proceeds and does not give message “The update is not applicable to your computer.” Using a file system snapshot program before and after KB3185319 was installed shows that in this case KB3185319 indeed installs components (which I believe are probably not actually needed).

Reply | Quote

I propose calling the first type of supersedence metadata-supersedence, and the second type of supersedence component-supersedence.

Reply | Quote

From Relationships Among Updates: “Supersede – An update that subsumes the functionality of another update. For example, Windows XP SP2 supersedes a number of updates for Windows XP RTM. If update A supersedes update B, and both are applicable to a given client machine, then Automatic Updates will install only update A. Declaring a supersede relationship allows newer and older updates to be used together without conflict.”

I use the phrase “metadata-supersedence” for the type of supersedence described in the above paragraph.

2 users thanked author for this post.

ch100, woody

Reply | Quote

MrBrian wrote:

I’ll leave you with a question for discussion that you may now be in a position to answer. According to the Windows 7 supersedence metadata for Internet Explorer cumulative update KB4036586, KB4036586 supersedes Internet Explorer cumulative update KB3185319. But yet on a Windows 7 computer with neither of these updates installed, after installing KB4036586 and then checking for updates with Windows Update, KB3185319 was listed as available, and manually installing KB3185319 did not give the message “The update is not applicable to your computer.” My question to you is: How is this possible?

If an update contain a new component that does not originally exist in the OS, this will void the component-supersedence, because CBS cannot compare the component to the inbox components baseline
this will make the update always installable, and cannot be marked as superseded by WU except with metadata-supersedence

an example of such updates are:

Cumulative Security Update for Internet Explorer 11 for Windows 8.1 (KB3185319)
Update for Windows 8.1 (KB3038936)
Update for Windows 8.1 (KB3162835)
Update for Windows 8.1 (KB3118401)

these updates will not show in WU if the latest active/installed rollup is Security
but they will be requested if the latest active rollup is Preview (because it doesn’t supersede them on metadata level)

3 users thanked author for this post.

Elly, ch100, MrBrian

Reply | Quote

Thanks for the explanation :).

This is the first time that I recall somebody else using the phrases “metadata-supersedence” and “component-supersedence” – which I proposed in an earlier post in this topic – at this site. Would it be fair to infer that you agree that it’s a good idea to use these phrases?

1 user thanked author for this post.

ch100

Reply | Quote

I used your phrases 🙂
usually i have similar phrases, metadata level and components or CBS level

regarding metadata-supersedence, if an update is superseded with two or more updates, this won’t be reflected on the metadata (i.e. Catalog info)
however, in most cases components-level calculate the relation

2 users thanked author for this post.

ch100, MrBrian

Reply | Quote

Do you know if metadata-supersedence data is ever used in component-supersedence calculations?

Reply | Quote

Metadata-supersedence is optional to some extent, used only by Windows Update scanning (and human readers), but as we have seen in many situations like the one presented by @abbodi86 in this thread, it has its flaws. The authoritative mechanism is still CBS based.
Disk Cleanup also use CBS mechanism to identify fully redundant updates and remove them according to the result of the calculations.
Credit goes to @abbodi86 for most of those written by me, although I did my own research in the past, mostly related to the metadata supersedence only.

1 user thanked author for this post.

MrBrian

Reply | Quote

No at all

WUA makes use and calls CBS to caculate component-supersedence, but not the opposite way around

2 users thanked author for this post.

MrBrian, ch100

Reply | Quote

These references seem to indicate that Windows Update doesn’t use component-level calculations when determining if a given update is applicable to a computer. Please correct me if I am mistaken.

How the Windows Update Agent determines the status of an update

The five rules you need to know to build a custom update package

Update Applicability Rules

1 user thanked author for this post.

woody

Reply | Quote

I don’t understand much in all those technical details, but each Wundows update metadata contains these sets <CbsPackageInstalled />, <CbsPackageInstallable />, <CbsPackageApplicabilityMetadata>
which are handled by CBS

1 user thanked author for this post.

MrBrian

Reply | Quote

From https://msdn.microsoft.com/en-us/library/cc252011.aspx: “Section 3.1.5.7: Windows uses the following schemas to describe the applicability of Windows Updates. The Windows Update Agent uses Windows system APIs to process the rules.”

From The five rules you need to know to build a custom update package:

“File Version

This is the rule that does almost all of the heavy lifting in an update package. Since an update package is, generally speaking, a collection of one or more files to be replaced on a target system, the basis for whether any of those files needs to be replaced is the File Version attribute of each individual file.”

It seems that when Windows Update is evaluating whether a given update is applicable or installed on a computer, it’s mostly doing file version checks.

Reply | Quote

“regarding metadata-supersedence, if an update is superseded with two or more updates, this won’t be reflected on the metadata (i.e. Catalog info)
however, in most cases components-level calculate the relation”

Any further elaboration or examples of the above would be appreciated :).

Metadata-supersedence seems to have a transitive relation, in which if Update A metadata-supersedes Update B, and Update B metadata-supersedes Update C, then Update A is considered to metadata-supersede Update C regardless of whether the metadata explicitly says so.

1 user thanked author for this post.

ch100

Reply | Quote

I mean if update components are superseded by two or more updates components, WU metadata doesn’t reflect the supersedence, but CBS does
example:
Update for Windows 7 (KB2888049) superseded by 3 updates: KB3161949, KB3092601, KB3030039

yes, metadata works in chain mode
but as we saw in past year (specially IE11 updates), sometimes they expire Update B and forget to expire child updates
in this case the chain is broken and Update C is requested by WU

2 users thanked author for this post.

ch100, MrBrian

Reply | Quote

“I mean if update components are superseded by two or more updates components, WU metadata doesn’t reflect the supersedence, but CBS does
example:
Update for Windows 7 (KB2888049) superseded by 3 updates: KB3161949, KB3092601, KB3030039″

I believe what you mean is that having all three updates KB3161949, KB3092601, and KB3030039 installed is sufficient to guarantee that KB2888049 will be considered not applicable for manual .msu file installation, correct? In other words, KB3161949+KB3092601+KB3030039 component-supersedes KB2888049.

1 user thanked author for this post.

ch100

Reply | Quote

A test revealed that when KB3161949, KB3092601, and KB3030039 are installed, KB2888049 is not listed in Windows Update. This probably isn’t due to metadata-supersedence data for KB2888049, but rather because the Windows Update detectoid for KB2888049 checks for the presence of certain versions of certain files.

2 users thanked author for this post.

ch100, Elly

Reply | Quote

Yes, that’s what i ment, CBS declares it as superseded, and WU inherit that status

2 users thanked author for this post.

ch100, MrBrian

Reply | Quote

How does it work then if, going back to one of the examples above for Windows 7 and 8.1:

1. Monthly CU is installed, then October 2016 IE CU (last before the current mechanism was put in place) is not required, being superseded by monthly CU. This is expected behaviour.

2. Preview monthly CU is installed on top of the previous full monthly CU, then October 2016 IE CU becomes required in WU sense.

However preview monthly CU supersedes previous full monthly CU and according to the transitivity logic, should not require an already superseded IE old patch.

Transitivity in such a case becomes lost each month. Is this due to broken WU metadata supersedence chain?

More so, when full monthly CU is applied last, Disk Cleanup removes October 2016 IE CU, but becomes again “required” if the next preview is applied.

Reply | Quote

“However preview monthly CU supersedes previous full monthly CU and according to the transitivity logic, should not require an already superseded IE old patch.”

If by “supersedes” you meant metadata-supersedes, preview rollups don’t metadata-supersede older non-preview monthly rollups.

1 user thanked author for this post.

ch100

Reply | Quote

I think you are right, I missed this. Preview Monthly Updates only supersede the other Preview Monthly Updates at the metadata level.
However WU recognise them as superseding the previous Monthly (not preview) updates.
The plot thickens… 🙂

Reply | Quote

“However WU recognise them as superseding the previous Monthly (not preview) updates.”

In my view, that’s not correct, because if it did, then in Windows Update the presence of a newer preview rollup would cause any older non-preview rollups to not be listed.

Reply | Quote

“How does it work then if, going back to one of the examples above for Windows 7 and 8.1:”

If you look at https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=4a7c98c1-098e-46ca-af01-1b80eee5f48c, note that “October, 2016 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3185330)” metadata-supersedes “Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB3185319)”. However, note that according to https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=f864462a-bfee-406f-a376-09094e0f07b5, “October, 2016 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3192403)” does not metadata-supersede
“Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB3185319)”.

Let’s assume it’s late October 2016. If necessary, review the Windows Update logic info in the first post. If KB3185330, KB3185319, and KB3192403 are all considered applicable to a given computer by Windows Update, then KB3185319 will not be displayed in Windows Update because KB3185330 metadata-supersedes KB3185319. However, if KB3185330 is either installed or hidden, it will not be considered applicable to the computer by Windows Update. In this case, KB3185319 and KB3192403 will be considered applicable to the computer by Windows Update, but the listing of KB3192403 does not suppress the listing of KB3185319 because KB3192403 doesn’t metadata-supersede KB3185319.

1 user thanked author for this post.

abbodi86

Reply | Quote

Windows Update (metadata) mess is limited in Windows 8.1
but it’s beyond control in Windows 7 because of the extra complexity of GDR/LDR branch, thus i always considered its WU a lost cause 😀

Reply | Quote

ch100 wrote:

How does it work then if, going back to one of the examples above for Windows 7 and 8.1:

1. Monthly CU is installed, then October 2016 IE CU (last before the current mechanism was put in place) is not required, being superseded by monthly CU. This is expected behaviour.

2. Preview monthly CU is installed on top of the previous full monthly CU, then October 2016 IE CU becomes required in WU sense.

However preview monthly CU supersedes previous full monthly CU and according to the transitivity logic, should not require an already superseded IE old patch.

Transitivity in such a case becomes lost each month. Is this due to broken WU metadata supersedence chain?

More so, when full monthly CU is applied last, Disk Cleanup removes October 2016 IE CU, but becomes again “required” if the next preview is applied.

The transitivity logic works on metadata level, CBS does not care about preview or security

IE11 cumulative is requested because it contain new non-inbox components (in both Windows 7/8.1), therefore CBS cannot flag it as superseded

are you sure Disk Cleanup removes it?
i just checked in Windows 8.1 and it does not

i also double checked, KB3038936 (Update for Win8.1 Defender) does not fit this scenario
it does not contain new components and CBS flag it as suprseded, but WU still request it if latest Rollup is Preview

WU metadata mystery continues 🙂

2 users thanked author for this post.

woody, ch100

Reply | Quote

abbodi86 wrote:

IE11 cumulative is requested because it contain new non-inbox components (in both Windows 7/8.1), therefore CBS cannot flag it as superseded

are you sure Disk Cleanup removes it?
i just checked in Windows 8.1 and it does not

I am (almost) certain that I have seen it before on Windows 2012 R2, which should closely mirror Windows 8.1. I don’t have the patience or time (the little time available is spent now converting some .esd just released 😉 ) to repeat the experiment to research it, sorry.
At that time I did not understand why the October 2016 IE11 CU was offered after experimenting with installing and uninstalling Monthly CUs and Preview Monthly CUs.

It seems natural and logic though that if the IE11 CU is not offered normally with only Monthly CUs and no Preview Monthly installed, then when the same conditions are encountered following further action like uninstalling the Preview, the IE11 CU is also removed as being redundant.

Reply | Quote

Those that want to see which updates Windows Update considers applicable for a given computer without filtering by metadata-supersedence metadata can use Windows Update MiniTool with “Include superseded” ticked.

Reply | Quote

Does anybody know how to get the update applicability rules for a given update?

Info I’ve found so far:

1. I believe that the update applicability rules are found in SyncUpdates.Xml but I don’t know how to get this info. This post suggests that it may be possible; I used Fiddler but did not see SyncUpdates.Xml info.

2. GetExtendedUpdateInfo download URLs are found in windowsupdate.log (may need to turn on verbose windowsupdate.log logging to see them). These URLs often (always?) seem to contain “msdownload/update/others”. Example: download.windowsupdate.com/d/msdownload/update/others/2018/03/26323814_fba40cda611c618fe034e53ba08dd6271407d870.cab, which seems to have extended update applicability rules for KB2952664. Does this contain the core update applicability rules mentioned in point #1?

3. .msu files contain a file named wsusscan.cab, which contains file package.cab, which contains (amongst other things) update applicability rules in potentially many files. One of the files in the .msu for KB2952664 contains an update applicability rule (in folder “core”) referencing file appraiser.dll. The file in point #2 does not contain an update applicability rule referencing file appraiser.dll, which leads me to believe that the answer to the question in point #2 is “no.”

Reply | Quote

2. Yes, WU gets metadata for updates using these “others” cab files

3. The update metdata will be always in the last two (at least) files in this path inside msu:

msu\WSUSSCAN.cab\package.cab\core\
msu\WSUSSCAN.cab\package.cab\extended\

typically 2858 & 2859
unless there are more than one .cab update file or bundled .exe, in that case would be 2858 -> the rest of list

the latest file will hold the metadata for the main or wrapper update entry
the one before will hold the metadata for the bundled update(s) binaries

i.e. KB2952664 core files:
2860 = metadata for update entry
2859 = metadata for Windows6.1-KB2952664-v24-x86.cab (it require kernel32.dll v6.1.7601.17617 at least)
2858 = metadata for EnableTask.exe (it require KB2952664-v24 installed and kernel32.dll v6.1.7601.17617 at least, and additional check for appraiser.dll version)

extended will hold ExtendedProperties for the same metadata

an example for msu package with multiple cab files is WMF 5.1 KB3191566

wsusscn2.cab for security and some important update holds all these kinds of metadata
you need to extract the inner package*.cab files, and check the files in c & s folders
some metadata files are huge and require a decent text editor, i.e. AkelPad 🙂

1 user thanked author for this post.

MrBrian

Reply | Quote

Here is an example of component-supersedence:

1. Install KB3095649 and reboot.

2. Install KB4055038 and reboot.

3. Look at Installed Updates. Both updates are listed.

4. Run Disk Cleanup of Windows Updates and reboot. Look at Installed Updates. KB3095649 is not listed anymore.

Reply | Quote

In the first post, I gave two usages of a second type of supersedence and lumped them together into one type of supersedence, but I now believe that they should be considered two types of supersedence.

The first usage is what I now propose to be called install-supersedence. I believe that Microsoft’s usage of “superceded” in https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038 can be considered an example of install-supersedence:

“This update has been superceded by the following newer updates:

April 10, 2018—KB4093108 (Security-only update)
April 10, 2018—KB4093118 (Monthly Rollup)”

I did a test. I installed KB4056897 and rebooted. Windows Update offered KB4100480. Then I installed KB4093108 and rebooted. Windows Update didn’t offer KB4100480. Thus, it seems that KB4093108 install-supersedes KB4100480.

Reply | Quote

“Thus, it seems that KB4093108 install-supersedes KB4100480.”

Given this info, it might seem reasonable to infer that if one installs KB4100480 before KB4093108, and then runs Disk Cleanup of Windows Updates and reboots, that KB4100480 will no longer be listed in Installed Updates. I tested this. I installed KB4056897 and rebooted. I installed KB4100480 and rebooted.  I installed KB4093108 and rebooted. I ran Disk Cleanup of Windows Updates and rebooted. KB4100480 was listed in Installed Updates. Thus, it seems that install-supersedence is indeed a different type of supersedence than component-supersedence.

 

1 user thanked author for this post.

ch100

Reply | Quote

The result in post #184683 was done on a test virtual computer without the latest version of the Disk Cleanup code that Group A has. I repeated this test on a Group A computer. The new test had a different result: KB4100480 was not listed in Windows Update at the end of the test.

Reply | Quote

I propose that what I had been calling component-supersedence should be renamed to cleanup-supersedence, since that more accurately describes its context involving Disk Cleanup of Windows updates.

As a review, the three types of supersedence described in this topic are:

1. metadata-supersedence.

2. cleanup-supersedence.

3. install-supersedence.

Reply | Quote