The mechanics of Windows patching - in plain English

Microsoft’s John Wilcox last week posted a primer on Microsoft’s patching scheme, designed to help people understand how the company patches Windows. Here’s a translation in less obfuscatory terms, with a bit of real-world commentary.

Windows logo overlaying hand with band-aid patch

If you’re troubled by Microsoft’s patching policies, you aren’t alone. If you’re confused about Microsoft’s patching policies, hey, join the club. Here's my guide to what's really happening in Update Utopia.

Last week, in an attempt to address the confusion, Microsoft designer and lecturer John Wilcox posted a detailed look at the company's “update servicing cadence” on the Windows IT Pro blog. In it, Wilcox set out the official patching principles:

  • Be simple and predictable
  • Be agile
  • Be transparent

Microsoft’s adherence to those principles is the subject of ongoing, heated debate, of course.

After laying out the goals, Wilcox delved into the mechanics of patching. It’s a familiar trail of tears for the initiated, but many industry observers and analysts haven’t been able to interpret the Microsoft-speak. Permit me to strip away the bafflegab and explain how Windows (and Office) patching really works – from the customer's point of view.

Microsoft’s patching cycles revolve around Tuesdays. For the past couple of years, Microsoft has been trying to recast the Gregorian calendar in some sort of “A week” / “B week” nonsense, but if you just look at Tuesdays, you’ll start off on the right foot.

On the first Tuesday of the month, Microsoft usually releases non-security updates for the installed (“MSI”) versions of Office. They’re usually not checked in Windows Update, so they don’t install automatically.

On the second Tuesday of the month – Patch Tuesday – Microsoft usually releases:

  • Cumulative updates for the various versions of Windows 10, which roll out through Windows Update. These combined security and non-security patches are “cumulative” in the sense that, if you install one of them, you’re caught up on all of your patching obligations for that particular version of Win10.
  • Monthly Rollups for Windows 7 and 8.1, which appear checked in Windows Update, so they install unless you’ve turned off Automatic Update. They also contain security and non-security updates, and they’re cumulative (although they may not include some very old patches).
  • Security-only patches for Win7 and 8.1. These are only available for manual download and installation. They aren’t cumulative.
  • Security patches for the installed (“MSI”) versions of Office, which are checked and ready for automatic installation. Around the second Tuesday, the non-security Office patches are generally changed to appear as checked in Windows Update, so they will install unless you have Automatic Update turned off.
  • Finally, Office Click-to-Run (C2R) usually gets updated on or around the second Tuesday of the month. If you have the C2R version of Office (as opposed to the installed “MSI” version), you are automatically updated through the Office updating mechanism, which is outside of the usual Windows Update channel.

Lately, the third Tuesday of the month, give or take a day or two, brings fixes for bugs introduced on the second Tuesday of the month.

Also on the third Tuesday, Microsoft releases a “Preview of Monthly Rollup” for Win7 and 8.1 – a collection of non-security bug fixes that (if all goes well) will reappear on the second Tuesday of the following month. Notably, Microsoft hasn’t released a significant new feature for Win7 or 8.1 for at least a few years. Other than bug fixes, time zone changes and the like, the only non-security modifications we’ve seen are designed to increase telemetry.

Finally, sometime between the third and fourth Tuesdays of the month, each Win10 version gets a second (or third) cumulative update for the month. These cumulative updates are supposed to include just bug fixes, not security patches.

Mind you, that's the theory. In practice, things are much messier. If you include the patches, pulled patches, re-issued patches, re-directed patches (with changes in “metadata”), plugged IE holes and .NET patches, we see something new on roughly half of the business days in a typical month. Most of the changes are undocumented or nearly so.

Nowadays, newer Win10 versions get three or even four patches, fixes and re-patches per month. Multiply that by three current versions (1703, 1709 and 1803), and there’s a whole lot of Win10 patching going on. It’s a wonder Microsoft can keep all of the balls in the air.

Other updates happen on their own time schedules – Windows Defender updates, Servicing Stack updates (where Microsoft changes the programs that install updates), driver updates, Surface firmware updates, and so on. The jumbled mess doesn’t even include version changes – Microsoft insists on calling them “feature updates” – which roll out to the tune of a different drummer.

Have a question about patching? Join the fray on the AskWoody Lounge.

Copyright © 2018 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon