As of a week ago, Windows 7, 8.1, the various 10s, and Office 2013 and 2016 Click-to-Runs (from Office 365) now have at least one attribute in common: They all distribute patches in bunches. The bunches raise a very straightforward question, with a number of possible answers: How will Microsoft fix problems with a buggy patch?
There’s no simple answer. We have a raging discussion over on AskWoody.com about the dilemma and one way Microsoft seems to be approaching an answer. Yesterday, Martin Brinkmann on ghacks posted a thorough overview. He comes to the conclusion, quite correctly, that if Microsoft concentrates on bugs in Win7/8.1 security patches with fixes in the nonsecurity part of the monthly rollups, then Windows 7 and 8.1 customers will have no choice but to take all of Microsoft’s patches, all of the time -- or none at all.
For those who aren't overjoyed at the idea of absorbing Win7 and 8.1 telemetry changes, that's not good news at all.
As it now stands, the situations with Windows 10 (all versions) and Office Click-to-Run 2013 and 2016 are similar, although presented a bit differently. If Microsoft screws up a security patch, you have no choice but to either roll back the entire update, thus losing all of the most recent security and nonsecurity patches, or to sit and grin until Microsoft gets another cumulative update/CtR version out the door. There’s no middle ground.
This is the fundamental Achilles’ heel in Windows patching that I’ve been discussing for nearly two years. It's congenital. It won't go away.
So far this month I’ve seen three patches with acknowledged bugs. If you expected some sort of consistency in how those bugs were fixed, you’d be wrong: The approach to fixing bugs varies all over the place. Even in fully patched systems, right now some Windows and Office users are experiencing the bugs, and others aren’t. Support staff must be going nuts.
Here are the three acknowledged bugs making the rounds this month:
- KB 3118373, the “October 4, 2016, update for Excel 2016,” started throwing bogus error messages, spontaneously reporting “Microsoft Excel has stopped working.” Think of it as halt and catch fire for spreadsheets. Microsoft acknowledged the bug on Oct. 8, and pulled the patch.
- KB 3185319, the “MS16-104: Security update for Internet Explorer: September 13, 2016” -- one of those notorious patches that combines security and nonsecurity updates -- started throwing a "File Download - Security Warning" prompt when you tried to access the Favorites menu. Microsoft acknowledged the problem on Sept. 27, but didn't offer a solution until Oct. 18.
- KB 3192440, the “Cumulative update for Windows 10: October 11, 2016,” includes a slew of patches for the original “RTM” version of Win10, also known as version 1507. It’s notorious among admins for crashing the System Center Operations Manager (SCOM) management console while in State view. There are similar problems for the other versions of Win10 and Server. Microsoft also acknowledged that problem on Oct. 18.
The methods for fixing those bugs run all over the map.
If you have Excel 2016 installed and it was patched on or after Oct. 4, you’re supposed to manually remove KB 3118373, according to KB 3198535. (I have no idea how most people figure out that’s what they’re supposed to do.) Microsoft advises, “The fix for this regression as well as other fixes in KB 3118373 will be included in the next public update for Excel 2016.” Presumably, the first Tuesday in November will include a new Excel 2016 patch that fixes the bug.
If you use Excel 2016 as part of Office 2016 Click-to-Run, though, it’s a different story. Microsoft released a new Office 2016 Click-to-Run on Oct. 4, including KB 3118373. It then released a new Office 2016 Click-to-Run on Oct. 11, build 7369.2038, incorporating October’s security patches. I can’t find any documentation on whether KB 3118373 was included in the Oct. 11 version, although the original notification for the Oct. 4 release was updated on Oct. 13 to say that KB 3118373 is no longer available.
Bottom line: If you have the installed version of Excel 2016, you may or may not have the bug, depending on whether you’ve uninstalled KB 3118373. If you use Office 2016 Click-to-Run, you had the bug for a while but it’s gone now -- and it isn’t clear what day the bug got pulled.
Over on the Windows side of the fence, the situation’s even murkier.
After concerted howls emerged on TechNet, the SCOM crash was eventually tracked down to a combination of two patches: MS16-118 and MS16-126. The fix was rolled into cumulative updates for the older Win10 versions, issued on Oct. 18: KB 3119125 cumulative update for Win10 RTM, and KB 3200068 cumulative update for Win10 version 1511.
Here’s where it gets weird.
The definitive Windows 10 update history page doesn’t list either of those patches. There are no updates listed for Oct. 18. I can’t even tell what build numbers appear after the patches are installed.
More than that, the patch for Win10 version 1511, KB 3200068, claims to fix the “File Download - Security Warning” prompt bug from last month’s MS16-104. I can’t find any similar claim for Win10 RTM or for Win10 1607.
It’s possible that the patch called KB 3197954, which is a cumulative update to Win10 1607 that hasn’t yet been released, may fix those two Windows bugs. Or maybe not. There’s no documentation I can find for 3197954.
If all those numbers make your head swim, you’re not alone. Imagine what your friendly local support desk person must be confronting:
- Those who have run afoul of the Excel 2016 halt-and-catch-fire bug likely need to uninstall KB 3198535, but if they’re on Click-to-Run they need to get the latest version.
- Those who have the “File Download - Security Warning” bug should either move to a different browser, make sure that Win10 has been updated (no idea what build number), or wait for a new undocumented Win10 build.
- Those who have System Center Operations Manager console crashes have no doubt already installed the hotfix, even if it isn't called a hotfix.
I’ve said it before: As long as all of the Windows (and Office) patches are good, the cumulative update/rollup approach works fine. But the minute there’s a bug, we’re all in a world of hurt and confusion.
Microsoft should come up with a specific, documented method for fixing bugs in rollup (or rolled together) bundles of patches. It should let us know what's happening and how or if we can get fixes. If Microsoft won't give us a way to uninstall individual bad patches, it would be smart to develop a "silver bullet" approach where bad patches get uninstalled by installing new patches that eviscerate the bad ones.
It's an easy method that, if fully documented, would lead to much less headache here in the trenches.