Windows seven update guide: How 'security-simply' and 'monthly rollups' differ

Microsoft in 2016 inverse the way it rolls out updates for Windows 7 and Windows 8.one, leaving many Information technology admins and users confused. Here's how to sort out what the visitor is doing.

Senior Reporter, Computerworld |

It'south been more than a year since Microsoft concluded the decades-old practice of letting customers choose which patches they utilize, and instead instituted a cumulative update maintenance model for Windows seven and its shadow-of-a-sibling, Window 8.1.

And yet some users still don't grasp the new scheme.

"There are enough of people who don't know which kind of update they should use," Chris Geottl, product manager with client security and direction vendor Ivanti, said in a recent interview. "'Which one should I do? What non-security features are included in the monthly rollup? There's still some confusion."

No wonder there.

Microsoft asked for a lot last year. It asked enterprise Information technology administrators to upend ingrained patching practices. Information technology asked them to make radical changes to how they maintain Windows seven deep into its lifecycle, when at that place were just three years and change remaining earlier retirement, a phase most admins probably thought they'd exist benumbed as they prepped for Windows 10. It asked customers to absorb new terminology. And it changed the rules more once afterward the new procedure debuted.

In return, users had questions - ans all the same do. The top query may seem among the simplest - what'due south the difference between the two types of Windows 7 updates now offered - just as Computerworld found out, appearances are deceiving.

What'due south in the security-only update? Just as the proper noun implies, this update includes just security-related fixes, the kind that Microsoft has issued for 14 years on the second Tuesday of each calendar month (aka "Patch Tuesday").

Just every bit of import, though, is that the security-only update contains this month's fixes, and nothing more. (Over again, that characteristic is what has defined Windows patches for years.)

What's in the monthly rollup? The Windows seven and 8.one monthly rollups include non only this month's security patches, only besides all past security and non-security fixes, going back to at least October 2016, and maybe further. In other words, a monthly rollup is a superset of the month's security-only.

Side note: "Rollup" is a term Microsoft has used for ages to label take hold of-up updates, those that bring a programme or operating system up to current status by bundling all by fixes. (Normally from a specific bespeak in time, say, the last major release, which in the past were called "service packs" and abbreviated to "SP" as in "SP1" to designate the first such collection.)

Microsoft has touted rollups as a customer convenience, because they permit a long-out-of-date PC to be made current with just ane download and install, rather than being forced to think scores, perchance hundreds, of individual updates. That's exactly how the visitor described what information technology dubbed the "Windows 7 SP1 convenience rollup" it issued in May 2016.

"Install this one update, and then you only need new updates released later April 2016," Microsoft said at the time of the convenience rollup, which preceded and presaged the monthly rollups appear 3 months afterwards.

Are in that location size differences between the security-only and monthly rollup updates? Yes.

  • Security-only updates are significantly smaller than monthly rollups. On average, the former amounted to about 16% of the latter during the 14 updates issued since October 2016.
  • A monthly rollup is always bigger than its predecessor, considering each must add this calendar month'south fixes to the calendar month-earlier bundle. December'due south Windows vii monthly rollup, for example, weighed in at 205MB, a slight proceeds over November'southward 203MB.
  • Security-only updates vary in size month by month. Some months the update volition be smaller than the month prior; other times, larger. In Baronial, the Windows 7 64-bit security merely was 30MB, simply it jumped to 42MB in September earlier shrinking to 32MB in October.

Who can get security-simply updates? Only organizations that service devices using Windows Server Update Services (WSUS), Arrangement Centre Configuration Manager (SCCM) or a 3rd-political party platform that taps into WSUS.

Why'south that? Microsoft has never put it this plainly, but it'southward clearly a bone thrown to the virtually valuable customers - enterprises and other business or educational organizations of size - to make the 2016 switch to cumulative updates for Windows vii more than palatable.

Windows 10 users weren't given options like this; on that Bone, it'south cumulative updates - another label for monthly rollups - or nothing.

Merely because Windows 7 was, and remains, the dominant operating system in the enterprise, resistance to the cumulative-Windows x model led Microsoft to cut its corporate customers some slack. They would be allowed to deploy the month'due south security patches, and only those fixes, and refuse non-security updates.

Think of it as a compromise between the radical-plenty move to make Windows seven updates cumulative - in that the bundle could not be cleaved into its carve up patches - and Windows 10 ane-size-fits-all process.

We use Windows Update to patch a handful of PCs. What practise we become? Monthly rollups. You can't install security-simply patches.

As with so much else, Microsoft's Windows seven patching policies favor enterprises over consumers and very small businesses. The first comprise its best customers, who pay the near for Windows - typically, the Windows Enterprise SKU (stock-selling unit) - and spend, by far, more on services such equally Office 365 than do those who make upwardly the second group.

How is Internet Explorer patched now? Are fixes included in both the security-only and the monthly rollup? No. Starting in February, Internet Explorer (IE) patches were stripped from the security-simply, and again offered in a divide update.

Microsoft has changed its mind about IE a couple of times. Before it launched the revamped Windows seven patch procedure, the company said IE fixes would be included in the security-only update. But when October 2016 came, it instead bundled them into the update. Since February, however, they accept been split up from the security-just.

Earlier this year, Microsoft explained that it was doing this to shrink the size of the security-only updates. "Given that parcel size is one of the primary reasons some enterprise customers choose to leverage the Security Only update (to optimize for smaller download in limited bandwidth scenarios), these customers have requested increased flexibility for deploying the Security Simply updates for Windows independently of the fixes for Net Explorer," wrote Nathan Mercer, senior product marketing manager, in a January post to a visitor blog. The security-merely updates did drop in size later that: The boilerplate size of the security-merely updates without IE was slightly more than than a 3rd of the size with IE.

Just there may accept been more to the story than Microsoft wanted to tell.

With IE being abandoned in droves each month, even past those who had in one case been its fiercest defenders - enterprise Information technology administrators - the added baggage of the browser's patches was unnecessary, and unwanted. If they had switched their workers to, say, Google's Chrome, they had no need for IE's updates. Separated from the security-only updates, the IE patches could be ignored.

IE patches have ever been included in monthly rollups, calculation to the kitchen-sink approach of that patching selection.

Which should we download and install? Security-only or monthly rollup? That'due south the $64,000 question, adapted for inflation.

There's little point in selecting and installing both in the aforementioned month, as the security patches are also included in the rollup. In fact, in December 2016, Microsoft made it more hard to install both, as it inverse the rules still once again; if a monthly update for the electric current month, or one further into the future than the security-only update, were installed, the latter would be marked every bit non applicable for that PC.

In hindsight, it's clear that the patch reorganization and the new terminology dislocated It administrators. "This caused a bit of bumpiness early on on. Many admins were deploying the security-just updates, only to detect that any fixes for the security-only updates are in the [monthly] rollups," said Susan Bradley, a noted patch skillful who moderates the PatchMangement.org mailing listing, in a recent electronic mail exchange.

Microsoft leans toward the monthly rollups in its advice. "Installing the latest monthly rollup will ensure the PC is compliant for all security updates released in the new servicing model," Michael Niehaus, director of production marketing for Windows, wrote in a December 2016 revision to an earlier postal service to a company weblog. "This is our recommended updating strategy.... You should deploy the monthly rollup."

Others, nonetheless, have placed their preference bets on the security-just updates because relying on them and them alone avoids the rollups. "It really seems that a lot of the breakage problems come at the stop of the month when the non-security fixes come out," Geottl of Ivanti said, referring to the patches included with the following month's rollup.

Administrators tin can also push security-just and monthly rollups to separate groups of managed PCs, or feed every system the security-only updates each month, but the rollups merely once each quarter. (The latter tactic requires that admins deploy the security-but every single month. Failure to practice so means that the PCs would be vulnerable to flaws fixed in skipped months, or until a monthly rollup is distributed to the machines.)

The bottom line: The answer depends on an organization's needs and priorities.

Microsoft's terminology confuses u.s.. Have any assistance for that? Nosotros sure do.

Check out this support document, "Description of the standard terminology that is used to draw Microsoft software updates," on Microsoft'due south website. Microsoft has discarded some of the terms - "service pack" is obsolete, and the visitor no longer publishes security bulletins - just those pertinent to Windows seven are spelled out.

Senior Reporter Gregg Keizer covers Windows, Part, Apple/enterprise, web browsers and web apps for Computerworld.

Copyright © 2017 IDG Communications, Inc.