none
Detection change needed for KB925673 - MSXML 6.0 RTM Security Update

    Question

  • As Update "MSXML 6.0 RTM Security Update (925673)" is falsely reported as "Installed" and "Applicable"on every Computer in WSUS, even on Windows 8.1 systems, the detection routine of this update needs to be reworked by MS engineering to report this update correctly as "Not Applicable" for all computers, where this update is indeed not installed and cannot be. I also wonder why this error in KB925673 as part of MS06-061 is overseen such a long time.




    • Edited by YellowShark Wednesday, September 25, 2013 12:03 PM
    Wednesday, September 25, 2013 11:53 AM

Answers

  • then KB927977 would supersede this faulty update and everything would be just fine.

    If KB927977 were capable of superseding that update, it would supersede that update, and the category/classification of publication wouldn't mean crap. But KB927977 does not supersede that update, because KB925673 contains files that are NOT contained in KB927977. BOTH updates are required.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, September 27, 2013 9:29 PM
    Moderator

All replies

  • As Update "MSXML 6.0 RTM Security Update (925673)" is falsely reported as "Installed" and "Applicable"onevery Computer in WSUS, even on Windows 8.1 systems, the detection routine of this update needs to be reworked by MS engineering to report this update correctly as "Not Applicable" for all computers, where this update is indeed not installed and cannot be.

    I'm curious as to what expertise and product knowledge you bring to the table to make such a claim?

    Why exactly do you think this update should be reported as NotApplicable on all computers?

    I also wonder why this error in KB925673 as part of MS06-061 is overseen such a long time.

    Well, truly .... that should have been your FIRST clue.

    The issue is not with the update package, but methinks merely your interpretation of the reality.

    In fact, this update is a current Security Update for MSXML6. MSXML6 is a feature that has shipped with almost every OS and product for the past eight years.

    Frankly, I would be critically concerned if any system showed up claiming this update was either "NotInstalled" or "NotApplicable"! In fact, the only systems in my entire inventory that show this update "NotApplicable" are two Windows Server 2003 SP2 systems, and I know exactly why they don't have MSXML6 installed. These days, not having MSXML6 installed, and thus this update truly being "NotApplicable" is a very rare condition.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Wednesday, September 25, 2013 11:08 PM
    Moderator
  • Lawrence, thank you for responding. To reproduce and understand this issue: please connect a newly installed Windows 8 system to your WSUS. Let it detect and install all missing updates. Then check on this Windows 8 system the update history: you will not find KB925673. Check on WSUS which updates are reported as installed on this system: you will find KB925673 mentioned with status "Installed" in its Status Report. So actually there is a flaw in the detection routine of this update. And this update is the only one with this kind of erroneous routine.

    And to even more clarify: I am not talking about the MSXML6-issues and preinstalled versions of these files themselves. Of course they are shipped, even in newer versions than stated in http://support.microsoft.com/kb/925673/en-us. But this has nothing to do with an update reported as been installed when it isn't. Or in other words: Because this issue from 2006 is already fixed in newer Windows OS, there is no need to install this way old update, so the status should be in all of this cases "Not Applicable", got it?

    • Edited by YellowShark Thursday, September 26, 2013 12:00 PM
    Thursday, September 26, 2013 7:45 AM
  • It is indeed very likely (almost certain) that a patch from 2006 has been integrated into the main Windows 8 branch, however it is also possible that this QFE is being picked up by Windows OOBE or some early process that detects and installs updates at a point in the Windows installation process that would not cause the update to be shown in the update history (e.g. the new "Direct Update" feature in Windows 8 setup).

    May I ask what effect this bug is having on you other than a status being incorrectly displayed?

    Thursday, September 26, 2013 8:09 AM
    Moderator
  • > May I ask what effect this bug is having on you other than
    > a status being incorrectly displayed?

    We do some kind of elaborated reporting statistics and this issue bothers me, - as simple as that ;-) When dealing with updates I expect - besides an improvement in security, reliability and stability when installing them - correctness. Correctness is a big portion of updating process, right? So MS engineering should fix this issue, as it corrupts WSUS statistics.


    • Edited by YellowShark Thursday, September 26, 2013 11:59 AM
    Thursday, September 26, 2013 8:35 AM
  • And here is how MS could fix the issue  - actually we looked by ourselves a bit more into it: The classification of this update is wrong! Currently it is filed under:

    ProductFamily - SQL Server
    Products - SQL Server Feature Pack

    If this update would correctly list under

    ProductFamily - Windows
    Products - Windows 2000; Windows Server 2003, Datacenter Edition; Windows Server 2003; Windows XP; Windows XP x64 Edition

    then KB927977 would supersede this faulty update and everything would be just fine.

    BTW: Do I get some Voting Points for bringing this up? Maybe you, Lawrence, can give me some of yours as a small compensation for the harshness you showed - even as a "Moderator"...



    • Edited by YellowShark Thursday, September 26, 2013 12:00 PM
    Thursday, September 26, 2013 10:52 AM
  • please connect a newly installed Windows 8 system to your WSUS. Let it detect and install all missing updates. Then check on this Windows 8 system the update history: you will not find KB925673. Check on WSUS which updates are reported as installed on this system: you will find KB925673 mentioned with status "Installed" in its Status Report. So actually there is a flaw in the detection routine of this update.

    No, there isn't. With all respect, the only flaw here is in your misinterpretation of the status "Installed".

    The update *IS*  installed. The FILE provided by KB925673, MSXML6.DLL, is the exact version physically present on the computer. It's not in the Windows Update History because the Windows Update Agent did not install the update. Neither did you. The update shipped with the operating system ALREADY INSTALLED.

    The update cannot be "Not Applicable" because it IS INSTALLED.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, September 27, 2013 9:22 PM
    Moderator
  • And here is how MS could fix the issue  - actually we looked by ourselves a bit more into it: The classification of this update is wrong! Currently it is filed under:

    ProductFamily - SQL Server
    Products - SQL Server Feature Pack

    The reason this update is in this category/classification is because in 2006, when the update package was created/published, the ONLY product that shipped MSXML v6 was SQL Server 2005. The update is still 100% applicable to every SQL Server instance since then, but, of course, is now also applicable to some not-SQL Server scenarios as well. Not really of major consequence, as the only thing the category/classification impacts is whether the update is available to you, in the console, to be approved. The category/classification does NOT impact the machines that the update is detected as Needed, Installed, or Not Applicable.

    I'm curious, though, as to what "Fix" would result from changing the product/classification on this update. (It's not going to happen, of course, but I am curious about your thoughts.)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, September 27, 2013 9:25 PM
    Moderator
  • then KB927977 would supersede this faulty update and everything would be just fine.

    If KB927977 were capable of superseding that update, it would supersede that update, and the category/classification of publication wouldn't mean crap. But KB927977 does not supersede that update, because KB925673 contains files that are NOT contained in KB927977. BOTH updates are required.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, September 27, 2013 9:29 PM
    Moderator
  • Hi,

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    Monday, September 30, 2013 6:51 AM
    Moderator
  • The update *IS*  installed. The FILE provided by KB925673, MSXML6.DLL, is the exact version physically present on the computer. 

    ...

    The update shipped with the operating system ALREADY INSTALLED.

    The update cannot be "Not Applicable" because it IS INSTALLED.

    I find these versions on standard Windows 7 and 8.1 systems:

    Windows 7:      6.30.7601.17988 2013-01-08  19:47:44 1.33 MB
    Windows 8.1:   6.30.9600.16384 2013-08-22  03:42:26 1.64 MB

    With KB925673 this version is installed according to http://support.microsoft.com/kb/925673/en-us:

    KB925673:       6.0.3888.0     2006-09-01  12:08:00 1.27 MB

    I do not find this (way old) version of MSXML6.DLL on my "patched" systems, do you really? So what is your meaning of the words "exact version"?



    • Edited by YellowShark Wednesday, October 30, 2013 6:08 PM
    Wednesday, October 30, 2013 6:04 PM
  • I do not find this (way old) version of MSXML6.DLL on my "patched" systems, do you really? So what is your meaning of the words "exact version"?

    Because the question is NOT about the MSXML6.DLL file!

    As previously stated:

    KB925673 contains files that are NOT contained in KB927977. BOTH updates are required.

    The question is about the MSXML6R.DLL file which is ONLY updated by KB925673, plus potentially MSXML4.DLL and MSXML4R.DLL. If any one of those three files is not current, then KB925673 is Not Installed.

    BOTH updates are REQUIRED.

    If all FOUR files are at or above the required version, then those two updates will be reported as Installed -- even if you didn't actually install them!


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence R Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, November 02, 2013 5:32 PM
    Moderator