Blame Microsoft -- not users -- for fragmented patching in Windows 7 and 8.1

Users for the most part have only been trying to protect themselves from 'Get Windows 10' nagware and Microsoft snooping

Too many in the PC industry have been repeating Microsoft's claim about fragmented Windows 7 and 8.1 patching, and how we must now move to cumulative updates in order to bring stability to the patching process.


This narrative claims that Win7 patching options have led to an awful patchwork of uninstalled patches (see screenshot), which in turn makes Win7 patches less reliable. In order to restore order to the patching process, starting in October Microsoft will release cumulative updates of Win7 (and 8.1) patches.

patching fragmentation2

There have been two TechNet posts about the shift to cumulative updates. On Aug. 15, Nathan Mercer presented us with "Further simplifying servicing models for Windows 7 and Windows 8.1," and on Aug. 30, Paul Bergson backed that up with much more detail in "A Bit About the Windows Servicing Model."

Says Mercer:

Based on your feedback, today we're announcing some new changes for servicing Windows 7 SP1 and Windows 8.1… From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month's rollup will supersede the previous month's rollup, so there will always be only one update required for your Windows PCs to get current. i.e. a Monthly Rollup in October 2016 will include all updates for October, while November 2016 will include October and November updates, and so on. Devices that have this rollup installed from Windows Update or WSUS will utilize express packages, keeping the monthly download size small.

Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past. Our goal is eventually to include all of the patches we have shipped in the past since the last baseline, so that the Monthly Rollup becomes fully cumulative and you need only to install the latest single rollup to be up to date. We encourage you to move to the Monthly Rollup model to improve reliability and quality of updating all versions of Windows.

Bergson fills in some key details:

Beginning in October 2016 onwards, don't expect to see individual KB's but instead expect to see the following in the monthly patch release cycle:

Security-Only Update - Collects all of the security patches for that month into a single update

Monthly Rollup - Security updates from previous bullet point; All updates, rollups, patches, and security updates for that month; Proactive addition of previously shipped patches (within 6-8 months the monthly rollup will include all patches back to the last baseline and will be fully cumulative)

.Net Framework Security-Only Update - Contains only security updates

.Net Framework Rollup - .Net Framework Security Updates from Previous Bullet Point; Reliability updates

There will be other updates in the patch release cycle, not mentioned by Bergson, although details are sparse. Internet Explorer will be updated separately, at least for now (there's no word on whether the IE updates will have security and non-security patches intermingled). Flash Player will get its own updates, according to Adobe's schedule more than anything. The Servicing Stack (in other words, the Windows Update program itself), dynamic updates ("driver, component, and setup improvements during the initial setup"), as well as Windows Defender updates and the Malicious Software Removal Tool will all march to the beat of an asynchronous drummer.

I can think of about a thousand questions surrounding the new cumulative update process, but for now let me put those aside. For now, I'd like to focus on Microsoft's stated reason for starting us down the phone-style-updating path.

I don't believe there's an unhealable, massive fragmentation in the Windows installed base. No doubt Microsoft's telemetry database can be manipulated to create any picture it chooses (the company's non-GAAP accounting folks are very good at that), but experience tells me that Win7 patching falls into a few well-defined buckets.

In examining those buckets, it's helpful to understand what options are available to Win7 and 8.1 updaters. If your PC isn't attached to an update server, you can choose:

  • Whether you manually install updates, or you let Windows install them automatically
  • Whether Microsoft-recommended updates should be treated the same way as important updates, or the same way as optional updates.

There are additional nuances, but those are your basic choices.

When Microsoft releases patches, they're given one of three priorities: important, recommended, or optional.

If you let Windows update your PC automatically, you'll get all important updates (which may include those released as recommended, depending on your choice).

If you update manually, you have a chance to examine each individual patch and accept or reject it. Microsoft preselects individual patches according to some unknown formula. (The old rules for prechecking patches flew out the window when Microsoft released the Windows 10 upgrade as a checked, optional patch.) When you're happy with the list of checked patches, you click a button and Windows Update installs the patches you've checked.

Those are the mechanics. Microsoft argues that the ability to select individual patches has led to an unwieldy situation of fragmented patching. While it's obviously true that giving customers a chance to pick and choose patches has led to different configurations, my experience with a whole lot of patches and a whole lot of patchers has led me to some overall conclusions.

Here's what I've seen.

The largest single group of people has turned off Automatic Updates and never update. Many folks have AU turned off because they're running pirated copies of Win7, which are invariably set for manual updates. Others turned off AU during installation or in response to a problem or recommendation.

The next-largest group of people run manual updates from time to time. They check to see if there are problems with individual patches and uncheck them, but generally take Microsoft's recommendations (the checked patches) or select all of the recommended patches and install the optional patches, too. Up until a year ago that process was rather straightforward.

Then Win7 and 8.1 customers got hit with a double whammy: The "Get Windows 10" campaign and the further encroachment of Microsoft snooping. Patching has never been the same since. Customers started implementing defensive patching strategies -- protecting themselves from Microsoft's advances -- and the nature of patching changed completely.

There's fragmentation, but it's largely predictable and almost entirely dedicated to the idea of keeping Microsoft's hands off their systems.

I see two general camps of Win7 and 8.1 defensive patchers. On the one hand, there are people who will only install clearly identified security patches. On the other, we have people who have followed (or developed) long lists of patches that should be avoided to deflect Microsoft's privacy incursions. Many people refuse to install patches that are specifically designed to make the transition to Windows 10 easier: They bought and paid for Win7, and they don't want Win10.

Patch blocklists abound -- and no longer just among the tinfoil hat wearers. They reflect a genuine concern about Microsoft's new telemetry activities: the Diagnostic and Telemetry tracking service, for example; new telemetry points/snooping stations; and Visual Studio Application Insights. Many Windows 7 and 8.1 users don't see any reason to let Microsoft (or app developers) snoop any more than they already do.

So yes, there is fragmentation in patching now. But I don't think it's a case of Win7 users deciding that they want to support the Azerbaijani manat or skip the daylight savings time updates for rural Egypt. The fragmentation that's developed has a pattern, and it's due to Microsoft's intrusiveness.

Now that the "Get Windows 10" campaign is over, Microsoft has a golden opportunity to mend some fences and pull the extraneous garbage out of Win7 and 8.1. A couple months' of healing patches that get the Win10 junk out of Win7 and reduce the telemetry incursion would do wonders to reduce the fragmentation.

I don't expect that to happen. Instead we're going to see Microsoft consolidate its snooping efforts under a new banner, with fragmentation cast as the boogeyman.

Back in June, we saw a harbinger of this new technique. As I explained at the time, you could get a new patch that would speed up Windows 7 update scans, but in order to install it, you had to install six completely unrelated patches -- at least one of which has been implicated in increased snooping.

Starting in October, we're going to see security updates distributed separately from non-security updates -- and that gives us some choice. Unfortunately, I don't think we'll see a patch prior to the October cumulative update onslaught that'll unwind all of the past year's Win10-related and snooping-related patches. For those who have been dutifully installing Win7 and 8.1 non-security patches, the damage is done and likely can't be unwound.

So go ahead, Microsoft, bring on the new world of Win7 and 8.1 cumulative updates. But don't blame it on fragmentation. Don't blame it on folks who were trying to protect themselves from the likes of Get Windows 10 and the Diagnostic and Telemetry tracking service.

Copyright © 2016 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon