Windows 7 update guide: How 'security-only' and 'monthly rollups' differ

Microsoft in 2016 changed the way it rolls out updates for Windows 7 and Windows 8.1, leaving many IT admins and users confused. Here's how to sort out what the company is doing.

It's been more than a year since Microsoft ended the decades-old practice of letting customers choose which patches they apply, and instead instituted a cumulative update maintenance model for Windows 7 and its shadow-of-a-sibling, Window 8.1.

And yet some users still don't grasp the new scheme.

"There are plenty of people who don't know which kind of update they should use," Chris Geottl, product manager with client security and management vendor Ivanti, said in a recent interview. "'Which one should I do? What non-security features are included in the monthly rollup? There's still some confusion."

No wonder there.

Microsoft asked for a lot last year. It asked enterprise IT administrators to upend ingrained patching practices. It asked them to make radical changes to how they maintain Windows 7 deep into its lifecycle, when there were just three years and change remaining before retirement, a phase most admins probably thought they'd be coasting as they prepped for Windows 10. It asked customers to absorb new terminology. And it changed the rules more than once after the new process debuted.

In return, users had questions - ans still do. The top query may seem among the simplest - what's the difference between the two types of Windows 7 updates now offered - but as Computerworld found out, appearances are deceiving.

What's in the security-only update? Just as the name implies, this update includes only security-related fixes, the kind that Microsoft has issued for 14 years on the second Tuesday of each month (aka "Patch Tuesday").

Just as important, though, is that the security-only update contains this month's fixes, and nothing more. (Again, that characteristic is what has defined Windows patches for years.)

What's in the monthly rollup? The Windows 7 and 8.1 monthly rollups include not only this month's security patches, but also all past security and non-security fixes, going back to at least October 2016, and possibly further. In other words, a monthly rollup is a superset of the month's security-only.

Side note: "Rollup" is a term Microsoft has used for ages to label catch-up updates, those that bring a program or operating system up to current status by bundling all past fixes. (Usually from a specific point in time, say, the last major release, which in the past were called "service packs" and abbreviated to "SP" as in "SP1" to designate the first such collection.)

Microsoft has touted rollups as a customer convenience, because they allow a long-out-of-date PC to be made current with just one download and install, rather than being forced to retrieve scores, maybe hundreds, of individual updates. That's exactly how the company described what it dubbed the "Windows 7 SP1 convenience rollup" it issued in May 2016.

"Install this one update, and then you only need new updates released after April 2016," Microsoft said at the time of the convenience rollup, which preceded and presaged the monthly rollups announced three months later.

Are there size differences between the security-only and monthly rollup updates? Yes.

  • Security-only updates are significantly smaller than monthly rollups. On average, the former amounted to about 16% of the latter during the 14 updates issued since October 2016.
  • A monthly rollup is always bigger than its predecessor, because each must add this month's fixes to the month-before bundle. December's Windows 7 monthly rollup, for example, weighed in at 205MB, a slight gain over November's 203MB.
  • Security-only updates vary in size month by month. Some months the update will be smaller than the month prior; other times, larger. In August, the Windows 7 64-bit security only was 30MB, but it jumped to 42MB in September before shrinking to 32MB in October.

Who can get security-only updates? Only organizations that service devices using Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM) or a third-party platform that taps into WSUS.

Why's that? Microsoft has never put it this plainly, but it's clearly a bone thrown to the most valuable customers - enterprises and other business or educational organizations of size - to make the 2016 switch to cumulative updates for Windows 7 more palatable.

Windows 10 users weren't given options like this; on that OS, it's cumulative updates - another label for monthly rollups - or nothing.

But because Windows 7 was, and remains, the dominant operating system in the enterprise, resistance to the cumulative-Windows 10 model led Microsoft to cut its corporate customers some slack. They would be allowed to deploy the month's security patches, and only those fixes, and refuse non-security updates.

Think of it as a compromise between the radical-enough move to make Windows 7 updates cumulative - in that the bundle could not be broken into its separate patches - and Windows 10 one-size-fits-all process.

We use Windows Update to patch a handful of PCs. What do we get? Monthly rollups. You can't install security-only patches.

As with so much else, Microsoft's Windows 7 patching policies favor enterprises over consumers and very small businesses. The first comprise its best customers, who pay the most for Windows - typically, the Windows Enterprise SKU (stock-selling unit) - and spend, by far, more on services such as Office 365 than do those who make up the second group.

How is Internet Explorer patched now? Are fixes included in both the security-only and the monthly rollup? No. Starting in February, Internet Explorer (IE) patches were stripped from the security-only, and again offered in a separate update.

Microsoft has changed its mind about IE a couple of times. Before it launched the revamped Windows 7 patch process, the company said IE fixes would be included in the security-only update. But when October 2016 came, it instead bundled them into the update. Since February, however, they have been separate from the security-only.

Earlier this year, Microsoft explained that it was doing this to shrink the size of the security-only updates. "Given that package size is one of the primary reasons some enterprise customers choose to leverage the Security Only update (to optimize for smaller download in limited bandwidth scenarios), these customers have requested increased flexibility for deploying the Security Only updates for Windows independently of the fixes for Internet Explorer," wrote Nathan Mercer, senior product marketing manager, in a January post to a company blog. The security-only updates did drop in size after that: The average size of the security-only updates without IE was slightly more than a third of the size with IE.

But there may have been more to the story than Microsoft wanted to tell.

With IE being abandoned in droves each month, even by those who had once been its fiercest defenders - enterprise IT administrators - the added baggage of the browser's patches was unnecessary, and unwanted. If they had switched their workers to, say, Google's Chrome, they had no need for IE's updates. Separated from the security-only updates, the IE patches could be ignored.

IE patches have always been included in monthly rollups, adding to the kitchen-sink approach of that patching option.

Which should we download and install? Security-only or monthly rollup? That's the $64,000 question, adjusted for inflation.

There's little point in selecting and installing both in the same month, as the security patches are also included in the rollup. In fact, in December 2016, Microsoft made it more difficult to install both, as it changed the rules yet again; if a monthly update for the current month, or one further into the future than the security-only update, were installed, the latter would be marked as not applicable for that PC.

In hindsight, it's clear that the patch reorganization and the new terminology confused IT administrators. "This caused a bit of bumpiness early on. Many admins were deploying the security-only updates, only to find that any fixes for the security-only updates are in the [monthly] rollups," said Susan Bradley, a noted patch expert who moderates the mailing list, in a recent email exchange.

Microsoft leans toward the monthly rollups in its advice. "Installing the latest monthly rollup will ensure the PC is compliant for all security updates released in the new servicing model," Michael Niehaus, director of product marketing for Windows, wrote in a December 2016 revision to an earlier post to a company blog. "This is our recommended updating strategy.... You should deploy the monthly rollup."

Others, however, have placed their preference bets on the security-only updates because relying on them and them alone avoids the rollups. "It really seems that a lot of the breakage problems come at the end of the month when the non-security fixes come out," Geottl of Ivanti said, referring to the patches included with the following month's rollup.

Administrators can also push security-only and monthly rollups to separate groups of managed PCs, or feed every system the security-only updates each month, but the rollups only once each quarter. (The latter tactic requires that admins deploy the security-only every single month. Failure to do so means that the PCs would be vulnerable to flaws fixed in skipped months, or until a monthly rollup is distributed to the machines.)

The bottom line: The answer depends on an organization's needs and priorities.

Microsoft's terminology confuses us. Have any help for that? We sure do.

Check out this support document, "Description of the standard terminology that is used to describe Microsoft software updates," on Microsoft's website. Microsoft has discarded some of the terms - "service pack" is obsolete, and the company no longer publishes security bulletins - but those pertinent to Windows 7 are spelled out.


Copyright © 2017 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon