Tuesday Was Microsoft's Last Non-Cumulative Patch

There was something unique about this week's Patch Tuesday. An anonymous Slashdot reader quotes HelpNetSecurity: It was the last traditional Windows Patch Tuesday as Microsoft is moving to a new patching release model. In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install. Furthermore, these new 'monthly update packs' will be combined, so for instance, the November update will include all the patches from October as well.
Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux."

Not sure you have a lot of options?

[King_TJ]

I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.

IMO, Microsoft's Windows Updates have been a huge, overly confusing mess for a long time anyway. I used to use WSUS to centrally administer them and for our small to mid-sized company, it became more trouble than it was worth. I like the advantage that you only have to download the patches once to the central WSUS server and then all the clients grab copies from there to save your Internet bandwidth. But in practice, our workforce is mobile enough that it's almost better we just let their laptops grab updates over the net from wherever they're at so they get patched more quickly.

Sifting through all of their patches and deciding when it was safe to "release" them was getting to be way more time-consuming for I.T. than it should have been. So often, you have slews of patches that wind up marked "superseded" by other patches, and there are weird dependencies too. Can't do certain patches unless you've done others first. (Why not automate all of that so any patch dependent on another one just auto-applies the required one as part of its installation?)

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious. (It seems that it needs so many individual patches to get current, it overwhelms their updater service trying to sort through all of it and prepare to download them in the proper order?)

Re:Not sure you have a lot of options?

[MightyMartian]

The way Windows 10 manages updates in general is frustrating. We have some dedicated Windows 10 Lenovo micro-PCs whose only significant job is show videos on some large flatscreen TVs, and we're constantly having to cancel out the update nag screens. GPOs that would seem to work don't always apply, so it just gets to be an annoying problem. I think the next set of such micro PCs we buy will probably have some small footprint version of Debian.

Re:Not sure you have a lot of options?

[Gr8Apes]

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it

Hyperbole = bollocks. My partner and I are on W10, it's heaps better than W7 or W8*, and we have no horror stories. Almost everything I use auto-saves, apps reload on reboot, and I have enough discipline to save Notepad files or Sql Manager queries if I want to keep them.

So you admit you take steps to guard yourself against purposeful OS actions and yet you claim that is merely an annoyance or less?

Re:Can we get something like windows 10.01 10.02

[sexconker]

MS won't release SPs anymore because all of their shit in place says SPs add to the support length of the OS.
That's why Windows 8.1 happened instead of Windows 8 SP 1.
That's why 7 had only 1 SP despite desperately needing another. It's so bad Windows Update doesn't work on a fresh Windows 7 install until it crashes twice over 36 hours. The third time usually works after another 8-12 hours.

Microsoft Update Catalog is my new hero

[Anonymous+Brave+Guy]

For general information, if you're installing a fresh Windows 7 now (starting from SP1, presumably) then it seems by far the fastest way to get a system reasonably well patched is to install the Convenience Rollup (KB3125574) and if necessary its prerequisite (KB3020369) from the Microsoft Update Catalog. That immediately brings you up to somewhere around April 2016 in terms of patch level, and you can download the required files quickly from the Catalog site and then install them locally using WUSA without waiting around for hours while Windows Update does whatever its current broken mess needs to do now. The most recent time I did this was just a few days ago, and after doing that it was then another couple of hours for Windows Update to find the rest and install the remaining security updates, but at least it could be done in an afternoon instead of leaving the new PC overnight and hoping it might have found something by the morning. Spybot Anti-Beacon or some similar tool can still turn off the various telemetry junk that you can't now individually because it's all bundled into the CR update.

Incidentally, for those who would prefer to keep security patching their existing Windows 7 systems but not get anything else, there are reportedly (direct from a Microsoft source) going to be monthly security-only bundles as well, but you'll have to get those from Microsoft Update Catalog manually as well, they won't be advertised or pushed out through Windows Update. So it looks like the new SOP is to turn off Windows Update entirely (as a bonus, you get back that CPU core that's been sitting at 100% running the svchost.exe process containing the Windows Update service for the last few months) and instead just go along and manually download the security bundle each month to install locally.

Of course, Microsoft Update Catalog requires Internet Explorer 6.0 or later and won't run with any of the other modern browsers, but I'll live with using IE to access it if it means I get security-patched but otherwise minimally screwed up Windows 7 machines for another 3 years.

Also, it's been confirmed that this policy will apply to all editions of Windows 7. It's not an Enterprise-only feature and doesn't require the use of WSUS etc. Let's hope they stick to their word on this one.

Re:Microsoft Update Catalog is my new hero

[hairyfeet]

The Convenience Rollup is kept on my keyring USB stick as its just soooo much easier than dealing with a system that may not have had a patch on it in years.

And as far as these new crap "mega updates"? Just turn off Windows Update and use WSUS Offline which last I checked is doing just as you described and grabbing the manual security updates, only you get them nicely bundled with a script that will install them all (and do any reboots required) and shut down the system, hassle free. I highly recommend it.

Re:Cumulative and combined

[denbesten]

...Are we going to download the entirety of updates that have ever been released for Windows every month? ...

If you update online you get just the changes. If you download and install you get the whole thing.

Microsoft answered this and many other concerns on their blog last month. Your particular answer can be found in the comments.....

Nathan Mercer
September 15, 2016 at 8:37 am

... Monthly rollup will grow to be about the same size as Convenience rollup update. If you install via WU or WSUS you can take advantage of the Express feature to just have deltas going across the network. Security-only update will obviously be much smaller.