Hello. My name is Digvijay Nath, and I’m a Technical Lead with the Windows Performance team at Microsoft. This is a short blog on installation and removal of updates and hotfixes and its effects.
Consider the following scenario –
We have a system binary with the version 5.2.3790.4043. You install an update, say KB2507938 - which updated this dll to version 5.2.3790.4860. Later you install another update KB2567680 which updated the same dll to version 5.2.3790.4877
For some reason you want to remove these 2 updates.
You remove the patches in “first in, first out” (FIFO) order. You first uninstall KB2507938, it prompts that KB2567680 (which supersedes this update) will not work. You remove the patch and reboot the server. After the reboot, the version of the file changes to 5.2.3790.4043.
You then remove the KB2567680, and after the reboot, the version of the file changes to 5.2.3790.4860
You remove the patches in “last in, first out” (LIFO) order, first KB2567680, the version of the file changes to 5.2.3790.4860 and then KB2507938 and reboot. Now the file version changed to 5.2.3790.4043.
The version of the file restored after removing a patch would depend on the version of the file present when *that* particular update was installed. When a patch is installed, Update.exe backs up the present file in the $NTUninstallKBxxxxxx$ so that it can restore the same file if we uninstall that patch.
So, if you remove an intermediary patch, the file version would be changed to the one that was present when the intermediary patch was installed, even when you have a newer patch that supersedes the intermediary patch installed on the server.
A --> B --> C
So, removing patch B would restore the file version to A which was currently at C.
Since the copy/replacement of the file updated by a patch happens only after the reboot (as the files may be in use when the patch was installed/un-installed) during the session startup by the Session Manager, there is no control of the System File Protection mechanism to prevent the overwriting of a newer version file by an older version. Hence there could be situations of older files being replaced even when you have newer version of the fix installed.
Microsoft does not have any policy or makes any recommendation to remove security patches/hotfixes. Microsoft releases patches to address vulnerabilities exposed and fixes issues with the OS. If there is any need to remove patches, you should follow LIFO method so that correct file versions are restored.
Please also note that the above information is more relevant to Windows XP/2003. I will be following this blog up with another one which talks about the behavior in Windows Vista/Windows 7 as servicing stack has been completely revamped in these operating systems.
For More information, please review the following:
GDR, QFE, LDR... WTH?
Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages
What is the difference between general distribution and limited distribution releases?
Windows Performance team