Microsoft dives down a bizarre non-cumulative rabbit hole with July patches

Good luck trying to get an explanation in English — though an official Microsoft post in Japanese has a few hints.

putting on a band-aid patch with binary code

If you’re trying to apply this month’s patches — an exercise in futility that I continue to discourage — you may have found that this month’s patches and their documentation read like a da Vinci script, mirrored upside down and backwards.

Take this astounding bit of bafflegab, from the official Microsoft Exchange blog:

For operating systems prior to Windows 2016, the update will be applied as an additional update to the updates released on July 10th. This means you must apply the July 10th update and then may need to execute Windows Update again to receive the additional update to fully resolve the issue. ...

According to the Windows Servicing team, for the non Windows Server 2016 operating systems, it is required that the update released on July 10th be installed for Windows update to offer the new update. [This] is because the update is a patch to the previous package. Windows update chooses updates based upon packages previously installed on these operating systems.

Which is quite a kick in the teeth for the cumulative updating concept — you know, the idea that you can install the latest patch and all previous patches get rolled in. As Michel de Rooij notes in the same thread, quite correctly:

KB4338831... reads, “This non-security update includes improvements and fixes that were a part KB4338815 (released July 10, 2018) and also includes these new quality improvements as a preview of the next Monthly Rollup update..”, implying it is a replacement like the KB4345418 for WS2016. It seems that for older OS’es there is an update (for the related security update) and a replacement (for the July update).

So we have a case where, at least on the face of it, a “cumulative” update (advancing the build number) requires a previous cumulative update. Otherwise the newer update won't install. Which makes no sense at all, to my admittedly Dummy mind.

@abbodi86 points to a post in Japanese by a Microsoft employee that may (or may not) provide some clarity:

Please apply the update with the (0xD1 Stop error) problem fixed based on the following list.

If you are experiencing a problematic update, please apply the update that fixes the problem ( even if you apply the problematic update at the same time ) .

If you have applied the problematic update, please apply additional updates that fix the problem.

There follows a list of “Problematic updates” and “Patches that fix the problem” for every version of Windows and Windows Server. For example, the patch that installs Win10 1803 build 17134.165 causes the problem, but build 17134.166 fixes the problem. Which is all hunky-dory, except the latest build is 17134.167, even though the docs referred to 17134.166 when the patch was first released.

Upside down and backwards.

You can also, uh, plainly see that if you want to fix the 0xD1 bug in Win7, you need to either install the July Monthly Rollup KB 4338819 followed by the manual-install-only KB 4345459, or you need to jump to next month’s Monthly Rollup Preview, KB 4338821.

Follow that? OK, now try this. Microsoft has updated its Security Advisory ADV 180016 (and other Security Advisories) to say:

To address a known issue in the security updates released on July 10, Microsoft is releasing Alternate Cumulative update packages for Windows 10, and Standalone and Preview Rollup packages for all other supported editions of Windows. These packages are available via Microsoft Update catalog, WSUS, or by manually searching Windows Update. Customers who are experiencing issues after installing the July Windows security updates should install the replacement packages as applicable. Please refer to the Affected Products table for the replacement package KB numbers. Customers who have successfully installed the security updates and who are not experiencing any issues do not need to take any action.

If you can slice through that Gordian knot in plain English (or Japanese), I’m all ears.

Bottom line: Don’t patch. There are no major exploits in the wild that take advantage of holes plugged in July. Sit back and wait for the cavalry to swoop in. Or come back from vacation.

Are you as tired of this Northern hemisphere summertime offal as I am? Join us on the AskWoody Lounge which, I’m happy to say, no longer throws security alerts.

Copyright © 2018 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon