blog-Patch-Tuesday-changes_SQYour monthly sysadmin routine will change with the introduction of a different Microsoft Patch Tuesday, shifting to a single Monthly Rollup patch model, where all patches are delivered at once, in a single package.

Many IT admins who manage Windows-based environments have been following the same routine on the second Tuesday of each month for many years. On that day, Microsoft releases a batch of security updates (patches) for their operating systems and other software products. Each of these patches contains fixes for one or more vulnerabilities that have been identified by numbers assigned via the Common Vulnerabilities and Exposures (CVE) system, maintained by the National Cybersecurity Federally Funded Research and Development Center (FFRDC).

Vulnerabilities that are discovered and exploited by attackers before the vendor becomes aware of it and issues a patch are called zero day vulnerabilities. Most vulnerabilities, however, are discovered by security researchers – working for legit security companies or in-house for the software vendors – and so there’s time to test the patches more thoroughly and release them as part of the regularly scheduled batch.

Release schedules and organization vary wildly from one software vendor to the next. Some (for example, Apple) release patches irregularly, on no set schedule, mostly depending on the severity of the detected threats. Many others have a regular patch release cycle on a specific day of each month (or in Oracle’s case, each quarter). This was also the case for Microsoft, at least for the past thirteen years, up until this October, when they announced they would launch only a single monthly package, containing all the fixes and patches for threats that have been identified for their products.

Taking it one fix at a time

Back in October of 2003, Microsoft introduced the practice of releasing all (except urgent) updates on the first Tuesday of each month, which quickly became known as Patch Tuesday. The idea was that IT pros could be prepared for the event rather than having to respond “on the fly” with no warning every time a new patch came out. Why Tuesday? Well, Mondays are hectic enough already for IT admins who often come in to face issues that have arisen over the weekend. That leaves mid-week, and doing it on Tuesday provides for maximum time to get any problems straightened out before the weekend.

Over the years, Microsoft’s security patches for their operating systems and productivity software have usually been released as separate patches that address only one vulnerability or several that are related. For example, MS16-106, released on September 13 along with thirteen other patches, fixes five vulnerabilities in the Microsoft Graphics component of Windows. There were patches also released on that day for vulnerabilities in Silverlight, Windows kernel, Windows lock screen on Windows 10, and so forth. Although they don’t get nearly as much attention from the tech press, several non-security updates are also released each Patch Tuesday, which address issues such as slow performance or system crashes.

Putting it all together

Sometimes in medicine the cure is worse than the initial disease or condition, and in IT a patch can cause more problems than the issue it fixes. When a serious problem with a patch is reported, that affects certain computers on which this update is to be installed, IT personnel can defer installing that patch, while still installing the rest of the them, so they don’t lose the protections from all those other vulnerabilities. Updates that roll up all the current fixes into a single patch offer the convenience of an all-in-one solution, but also take away the admin’s ability to pick and choose which vulnerabilities to patch.

This may increase the chances that an incompatibility with some particular system configuration or other software might cause the update to either fail or cause undesired behavior. Microsoft is no stranger to the rollup concept. Their security updates for Internet Explorer and Edge web browsers are always cumulative updates that address all the issues to be fixed in that application; for example, September’s cumulative update for Edge (MS16-105) addressed ten disparate vulnerabilities.

Rolling it up

With the release of Windows 10, Microsoft started issuing cumulative updates for the new operating system. They occasionally release a major update, such as the v1511 update, and then the Anniversary Update in early August. In between, they release more minor updates that contain fixes but no new features, like they did on September 29, when they released a cumulative update for Windows 10 v1607, and another for v1511, for those without the Anniversary Update installed. And these cumulative updates don’t always go smoothly. Mary Jo Foley reported in her ZDNet column on September 30 that the latest one was failing to install on some computers, which led to the system trying over and over to complete the installation in an “endless loop.”

It’s no wonder, then, that not everyone is thrilled with the prospect of moving to a rollup model for patching Windows 7 and 8.1, as well as Server 2008 R2, 2012 and 2012 R2. While there are benefits to doing so (enumerated by Microsoft in the linked blog post), and while there is something to be said for consistency in patching model across the different operating systems, there are also tradeoffs as discussed above. Because the rollup is installed or uninstalled as a single patch, IT won’t be able to test individual fixes or roll back just those that are causing a problem.

There is a smidgen of good news, however. While the monthly cumulative updates will include both security and non-security content, Microsoft also will be releasing a security-only update for those organizations that want to reduce the risk of incompatibilities and unintended consequences. These will not, however, be available through Windows Update, and organizations can get them through WSUS, SCCM and the Windows Update Catalog. For individual home users, it’s an all-or-nothing proposition.

With Windows 10, you can roll back cumulative patches if they cause problems, and presumably that will also be the case with the older operating systems to which this change applies. And despite the reports referenced above, overall the cumulative patching process has worked pretty well for Windows 10 users so far. At the time of publishing, the changes haven’t yet gone into effect, and we don’t know at this point whether or how the monthly security bulletins we’ve come to rely on for patching information will change. All we can do at this point is wait and see what happens today, on October 11, the first Patch Tuesday that will incorporate the new servicing model.