Windows 7's security rollups, the most comprehensive of the fixes it pushes out each Patch Tuesday, have doubled in size since Microsoft revamped the veteran operating system's update regimen in 2016.
According to Microsoft's own data, what it calls the "Security Quality Monthly Rollup" (rollup from here on) grew by more than 90% from the first to the twenty-first update. From its October 2016 inception, the x86 version of the update increased from 72MB to 137.5MB, a 91% jump. Meanwhile, the always-larger 64-bit version went from an initial 119.4MB to 227.5MB, also representing a 91% increase.
The swelling security updates were not, in themselves, a surprise. Last year, when Microsoft announced huge changes to how it services Windows 7, it admitted that rollups would put on the pounds. "The Rollups will start out small, but we expect that these will grow over time," Nathan Mercer, a Microsoft product marketing manager, said at the time. Mercer's explanation: "A Monthly Rollup in October will include all updates for October, while November will include October and November updates, and so on."
Two months later, when he was asked about the growth issue, Mercer again conceded that the rollups could get big. "Eventually Monthly Rollup will grow to around the 500MB size," Mercer said in mid-October 2016.
It looks like Mercer's forecast may have been pessimistic.
At the 22-update pace that Windows 7's rollups have established, the 64-bit version will weigh in at approximately 244MB by October 2018, and a year after that, as Windows 7 nears its expiration date, about 306MB. The latter would represent a 39% shortfall of Mercer's target. Likewise, the x86 edition would increase to 147MB and 186MB in 2018 and 2019, respectively, if the 22-update growth rate continues.
Those numbers are not only far below Mercer's 500MB maximum, but also lower than Computerworld's estimates at the end of 2017. Then, using the first 12 updates as a guide to future update bloating, Computerworld said that the Windows 7 x86 updates would balloon to 216MB and 374MB by October 2018 and October 2019, respectively. Meanwhile, the Windows 8 x64 updates would expand to about 350MB by October 2018 and a whopping 600MB by October 2019, just months shy of its retirement.
The previous predictions were wildly off-base. Why?
After an aggressive expansion in size over their first year, Windows 7's updates' rate of growth nearly screeched to a halt. The difference was stark between the first 12 updates' increase and that of the next 9. In the 12 updates from October 2016 to October 2017, Windows 7 x64's update grew by 83MB; the next 9 updates boosted the size by just 25MB. (That nine-month rate translates to under 32MB for 12 months, to make the comparison more apples-to-apples.)
"The size of these is definitely a concern," said Chris Goettl, product manager with client security and management vendor Ivanti. "When the rollups grow to 300MB to 500MB, some companies don't have the downtime (to download and install updates that large), especially those with a global reach or to remote areas across slow connections."
Enterprises get to pick the update poison
Microsoft issues two kinds of security updates for Windows 7 on the second Tuesday of each month: a rollup and what the company has dubbed "Security Only Quality Update" (security-only from here on). The latter includes the month's security-related patches and nothing else.
Because they contain only that month's patches, they're much smaller than the same month's corresponding rollup. The 64-bit security-only for July was just 37MB and the 32-bit was an even smaller 24MB, compared to the same month's rollups of 228MB and 138MB.
The rollups are larger not only because they drag their past with them - each succeeding rollup includes that month's patches as well as all previous patches back to October 2016 - but because they also include non-security bug fixes. Usually, though not always, issued later in each month, the non-security updates are bundled with the security patches, adding to the size of the rollup.
But only some Windows 7 machines are eligible for the smaller security-only updates: Those serviced by WSUS (Windows Server Update Services), or tools, whether third-party or Microsoft's own System Center Configuration Manager (SCCM), that rely on WSUS for content. All other Windows 7 devices, including those run by consumers and small companies, that connect via Windows Update or Windows Update for Business, are handed rollups. They do not get a choice.
Overall, the security-only updates issued for Windows 7 have been about one-fifth the size of the rollup total. Only 6 of the 22 64-bit security-only updates was larger than 40MB, for example, and only 7 of the 32-bit versions broke the 20MB mark.
According to Goettl, the security-only updates have been about the same size they would have been if composed of a similar number of separate patches, like those Microsoft distributed before making the radical move to dump decades of practice in 2017.
But size was not the only reason, or perhaps even the main reason, why security-only updates were a blessing for enterprises. "Security-only provides some flexibility," Goettl said, talking about the ability to postpone an update.
Because the rollups are cumulative - in that they include all past patches, as well as the latest - it's not possible to deploy them without installing every fix since at least October 2016. If a patch breaks something, say a business-critical application or workflow, all rollups subsequent to that must be put on hold.
But by adopting the security-only updates, an IT staff can at least roll out, for instance, June's version even if it has had to hold off on May's because of a rogue patch. That practice is similar to, although on a more macro level, the way individual patches were deployed or blocked, depending on whether they interfered with operations. (The latter was what Microsoft banned by moving in 2017 to the all-inclusive approach, where all of a month's patches are poured into one bucket and so are inseparable.)
Goettl saw security-only updates as a sop to enterprises, a bone Microsoft threw to its most important customers when it laid down the new laws. "One thing that softened the blow (of the cumulative update announcement) was that they offered the security-only bundle," Goettl said. "In Windows 10, you don't have that option."
Like a lot of patch experts, Goettl has urged those eligible for security-only to stick with the smaller updates. "It really seems that a lot of the breakage problems come at the end of the month when the non-security fixes come out," he added, talking of the patches that are included with the following month's rollup. "Things break there. This month, for example, there were a lot of non-security fixes [in the rollup]. That's why we recommend security-only for client PCs, especially [on systems with] sensitive software."
Cutting updates down to size
Not every Windows 7 machine has to pay full price for the increasingly large rollups. Some get a discount.
Enterprises that deploy updates through WSUS can apply the optional "express installation files" feature, which limits the bandwidth consumed on the local network, in turn reducing update-related traffic within the perimeter.
That's done by identifying those bytes that change between two versions of the same file, then generating an update containing just those differences. (This technique is typically called a "delta" update and is used by most software developers to distribute updates.)
However, there's a tradeoff, which Microsoft spells out in this support document: After enabling the feature, the size of the downloads from Microsoft's servers to the local WSUS server(s) increases substantially. According to Microsoft, express installation files may treble the number of bits downloaded to the WSUS server(s).
"When you distribute updates by using this method, it requires an initial investment in bandwidth," Microsoft stated. "Express installation files are larger than the updates they are meant to distribute. This is because the express installation file must contain all the possible variations of each file it is meant to update.
"However, this cost is mitigated by the reduced amount of bandwidth required to update client computers on the corporate network," the document continued.
In an example Microsoft highlighted, a 100MB update resulted in 300MB downloaded to the WSUS server, but the actual amount transmitted over the local network to each client might be as little as 30MB when express installation files is turned on. With it off, the initial download to the WSUS server would be 100MB, the size of the update, but then that same 100MB would have to be delivered to client PCs across the local network.
Other caveats apply to express installation files in Windows 7, but perhaps the most important is that it is not the same as the also-named-express in Windows 10.
While the express feature has arguably received more attention in Windows 10 - Microsoft has publicized the feature in Windows 10 several times - it's not identical to what's in Windows 7.
For one thing, Windows 10's express can distribute both updates and the twice-annual feature upgrades, which tip the scales at several gigabytes. More importantly, the differential update technology works with WSUS (as does Windows 7's), and with Windows Update and Windows Update for Business.