Simplified servicing for Windows 7 and Windows 8.1: the latest improvements


Today, we are providing insight into two recent and upcoming modifications to the servicing model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Customers using Windows Update and connected directly to Microsoft for updates (such as consumer PCs) will not be impacted by these changes, while enterprise customers using update management tools can benefit from these improvements.

Beginning in October 2016, updates for these versions of Windows have been released using a rollup model. Below is a quick summary of the updates available in this new model:

  • Security Monthly Quality Update (aka the Monthly Rollup) – New fixes are rolled into a single update, which includes both security and reliability fixes, as well as all fixes from previous rollups. Each new Monthly Rollup will supersede the previous, so installing the latest Monthly Rollup will ensure you have all fixes since the start of the model in October 2016. For example, the December 2016 Monthly Rollup contained all the fixes in the October and November Monthly Rollups.
  • Preview of Monthly Quality Rollup (aka the Preview Rollup) – New reliability fixes are first released in an optional Preview Rollup that enables early deployment of the new reliability fixes before they are included in the next Monthly Rollup.
  • Security Only Quality Update (aka the Security Only update) – In an alternative option released to WSUS and Microsoft Update Catalog only, new security fixes are also provided in a single Security Only update, which rolls all the security patches for that month into a single update. The Security Only update does not contain fixes from previous months, and allows enterprises to download as small of an update as possible to remain secure.

For more information on these updates, and deployment scenarios, see our previous blog post.

For the last four months this new servicing approach has provided customers on Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012 and Windows Server 2012 with a consistent model for staying current and secure. When there have been new fixes, a Monthly Rollup and a Security Only update have been released on Update Tuesday, and a Preview Rollup on the following Tuesday*.

In this time, we have also been listening to you, our customers, for opportunities to fine tune the model and further simplify the update deployment scenarios. We are happy to announce the following changes:

Deploying both the Security Only update and Monthly Rollup

Both the Monthly Rollups and Security Only updates are available on WSUS and the Microsoft Update Catalog, and both are published with the “Security updates” classification, enabling enterprise customers using WSUS or other update management tools to sync and deploy both updates, depending on their settings. To further simply installation and deployment in this scenario, the servicing model was updated in December 2016 to better handle the Security Only update installation applicability.

As of December 2016, a Security Only update will not be offered on a PC where a Monthly Rollup (from the same or later month) is already installed. This is accomplished through an applicability definition on the Security Only update, which checks for the installation of a Monthly Rollup (from the same or later month) to determine if it applicable on the PC. For example, if a PC attempts to install the February 2017 Security Only update, and the February 2017 (or later) Monthly Rollup is already installed, the Windows Update client will now report the Security Only update as not applicable. In addition to simplifying the installation scenario, tools that leverage such applicability for deployment reporting would see the Security Only update as not needed on the PC.

Additionally, as of December 2016, Security Only updates from earlier months (October and November 2016) were revised to leverage this applicability check, so it now applies to all Security Only updates released in the new servicing model. Finally, this applicability definition also checks for the installation of a Preview Rollup from the same or later month, which also includes the security fixes for that month.

See our earlier servicing model post for more information on update strategy choices and expected behaviors when deploying both updates.

Reducing the package size of the Security Only update

The Security Only update contains new security fixes for the Windows operating system, which includes Internet Explorer. Before October 2016, updates for the latest supported version of Internet Explorer (IE11 for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 and Windows Server 2012 R2; IE10 for Windows Server 2012) were provided in a separate monthly update. From October 2016 to January 2017 we included any Internet Explorer fixes for that month in the Security Only update to allow you to also remain secure for the latest supported Internet Explorer version for your operating system, all by installing the single Security Only update.

This inclusion enabled a simplified update installation process, though the Internet Explorer updates constituted a significant percentage of the total Security Only update package size. Given that package size is one of the primary reasons some enterprise customers choose to leverage the Security Only update (to optimize for smaller download in limited bandwidth scenarios), these customers have requested increased flexibility for deploying the Security Only updates for Windows independently of the fixes for Internet Explorer.

Starting with February 2017, the Security Only update will not include updates for Internet Explorer, and the Internet Explorer update will again be available as a separate update for the operating systems listed above.

With this separation, the Security Only update package size will be significantly reduced, but you will need to deploy and install the Internet Explorer update to remain secure for the latest supported version of the browser. [Note that the Internet Explorer update will not install or upgrade to the latest supported version of Internet Explorer if not already present.]

The Monthly Rollup will continue to include updates for Internet Explorer, as a single additive update that provides all security and reliability fixes since the beginning of the new servicing model in October 2016. Users of the Monthly Rollup will not need to install the separate Internet Explorer update. To simplify installation for Monthly Rollup users, the new Internet Explorer update will leverage the same installation applicability definition as the Security Only update (explained above), meaning that it will not install on a PC that has already installed the Monthly Rollup (or Preview Rollup) from the same or later month.

The following table highlights the inclusion and applicability for these updates.

 

Update Classification Contents Includes IE Not applicable Release
Security Monthly Quality Rollup
(aka the Monthly Rollup)
Security Updates New security fixes + non-security fixes from latest Preview Rollup + all previous Monthly Rollups Yes If a later Monthly Rollup is installed Update Tuesday (2nd Tuesday)
Security Only Quality Update
(aka the Security Only update)
Security Updates New security fixes

(not including IE fixes)

No If a Monthly Rollup (current or later month) is installed Update Tuesday (2nd Tuesday)
Preview of Monthly Quality Rollup
(aka the Preview Rollup)
Updates New non-security fixes + all previous Monthly Rollups Yes If a later Monthly Rollup or Preview Rollup is installed 3rd Tuesday
Cumulative Security Update for Internet Explorer Security Updates Fixes for IE11 (IE10 on Windows Server 2012) Yes If a Monthly Rollup (current or later month) or IE Update (later month) is installed Update Tuesday (2nd Tuesday)

 

With these two modifications for the Security Only updates (installation applicability and the standalone Internet Explorer update), enterprise customers using update management tools such as WSUS or System Center Configuration Manager will now have increased flexibility and simplicity in their deployments. Additionally, Windows Update users will continue to stay up-to-date through the Monthly Rollups. We are committed to listening to our customers, and are excited to provide these two improvements early in this new model to continue simplifying Windows servicing.

We will continue to gather and incorporate your feedback for additional opportunities to simplify servicing, and will communicate any forthcoming changes in advance to help you plan and leverage these improvements.

 

* Note:  Months with no new Windows security or reliability fixes will not have a Security Only or Monthly Rollup release; for example, January 2017 for Windows 8.1, Windows Server 2012 and 2012 R2. Similarly, months with no new reliability fixes to preview will not have a Preview Rollup; December 2016 and January 2017, for example.

Comments (11)

  1. Joe Friedel says:

    When will monthly rollups come to WSUS for Enterprise versions of Microsoft Office? That’s the last product that has a huge number of individual updates each month.

    1. good question for our colleagues over on the Office Updates blog – https://blogs.technet.microsoft.com/office_sustained_engineering/

      1. Susan Bradley says:

        Move to the Click to run model, Office would probably argue they already have a rollup model now.

        1. DanW7 says:

          Personally, I am in no rush to see the cumulative model applied to the Microsoft Office model. Joe, it is good to try and have this work on Microsoft Windows operating systems of 7 and 8.1 first and not try and overwhelm Microsoft with a cumulative update model on Office as well. Microsoft is still perfecting the model for Windows 7 and 8.1.

  2. Brian says:

    If a Security Only Quality Update has a bug of a non-security nature, and this bug is fixed in a more recent Security Monthly Quality Rollup, can we typically expect the bug to also be fixed a) in an updated version of the problematic Security Only Quality Update, b) in a separate update, or c) none of the above? Example: suppose a Security Only Quality Update has a bug that results in a very long login time for some users. The point of this question is ascertaining whether installing only Security Only Quality Updates (and also Cumulative Security Updates for Internet Explorer) can be expected to be a viable strategy for those who want a reasonably good experience with regards to bugs.

  3. Brian says:

    Are Preview of Monthly Quality Rollups considered to be of good enough quality for use on non-test computers?

  4. Brian says:

    Prior to public release, how much testing is done of Security Only Quality Updates relative to testing of Security Monthly Quality Rollups?

  5. DanW7 says:

    I appreciate the changes to the Windows 7 model, Nathan. The addition of letting us choose Internet Explorer updates seperately from the Security Update is a huge and positive change for the better. Cheers and thanks so much Nathan for this change to the Windows 7 and Windows 8.x Serving Model. It is greatly appreciated!

  6. Mike Crowley says:

    When can we expect the monthly updates to include all prior updates – not just the updates since Oct 2016? I.e. Win7 SP1 from the DVD + a monthly single update = fully patched?

    1. we are still working on this and don’t have any updated dates to share currently. We will update this post when we have something to announce.

Skip to main content