Cumulative patch updates: what you need to know

On Patch Tuesday come this October, Microsoft will change how updates will be delivered to Microsoft Windows 7, Windows 8.1, Servers 2008 R2, 2012, and 2012 R2. Instead of operating traditionally in the one-patch-per-vulnerability model, Microsoft will begin issuing monthly all-in-one updates for these operating systems, which will become cumulative following October 11, 2016 with every update of that category rolled into one download package after that date. To put it another way: Going forward, there will be only one Security update, .NET Framework update, etc. to download for each operating system following October 11, 2016, assuming that you’re starting with a fully patched system. November will include October and November, December will include October, November, and December… and so on.

The pros of this approach: Approvals are streamlined, the actual number of downloads to bring a system up-to-date will decrease, Microsoft has fewer possible patch approval combinations to worry about and fewer code points to test which would (in theory) increase the reliability of deployed updates, and the scan time to look for needed updates on each system will remain manageable. The cons of this approach: The download size of each cumulative update will only increase over time which will increase bandwidth requirements, and Microsoft’s history of introducing unreliable or malfunctioning code into one patch among many will now affect the entire update package.

The first drawback is largely mitigated by our centralized patch deployment system, which utilizes an on-premises update cache so that each update package is downloaded only once over the WAN and then shared locally among the client’s network. The second drawback is more interesting.

When vulnerabilities are rolled up into one cumulative update, a decision to withhold a single KB article from deployment due to functionality concerns now exposes a system to multiple vulnerabilities instead of just one, so that decision becomes more potentially costly in either direction. Further complicating the update delivery system: There is no indication (yet) that the cumulative approach is being applied to updates for Microsoft Office or any other non-OS product. However, .NET Framework updates will also start using the cumulative download model, though these download packages will remain separate from Operating System updates. Though it hasn’t been explicitly stated, we’re assuming that updates to Internet Explorer will be included in the main cumulative update packages.

This will likely be a very fluid situation as further detail regarding this major shift in Microsoft operating system patch management delivery process. Stay tuned… more information to come as details become available!