Windows Server TechCenter >
Windows Server Forums
>
WSUS
>
How does WSUS see that a Security Update is needed?
How does WSUS see that a Security Update is needed?
- Does it check the file versions in the system, the registry or both?
/Maekee
Answers
It says that 2003 SP2 is needed for KB954155.
And this is why it's important to discuss the *environment* before leading people off into solving problems. :-)
The reason nothing is detecting is because Windows Server 2003 SP1 became an unsupported platform in April, 2009, and nothing released since then is applicable to or will detect on a Win2003SP1 machine.
First Step: Install Service Pack 2 to EVERY Windows Server 2003 machine.
THEN re-evaluate the updates reported as Needed on the WSUS Server for those Win2003SP2 machines.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com- Marked As Answer byLawrence GarvinMVP, ModeratorTuesday, November 10, 2009 4:13 PM
All Replies
Well, =WSUS= doesn't check anything. The Windows Update Agent determines if an update "isInstallable", and the methodology used is distinct to each specific update package. Typically (ideally!) it's based on file versions, but sometimes it's based merely on the presence of a registry value.
Do you have a specific Security Update you're concerned about, or is this just a general question.
If just a general question, you may find the SCUP Updates Publisher Rules section of the System Center Technet documentation to be of interest.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com- Hi Lawrence,
Yes, i have found with help of a 3rd party program that files in the system are "old" and the Windows Update Agent report that the patch is installed so i would like to see how it knows this. So its the Update Publisher Rules that detects this?
How do i see which Requirements (Rules) a Security Update uses to see if a patch is installed? How do i see which Requirements (Rules) a Security Update uses to see if a patch is installed?
The specific files that are replaced/affected by an update are documented in the associated KB article or MSRC Bulletin. You should refer to those documents to get the actual filenames, dates, and sizes that should exist, and then manually/visually inspect the actual files in the filesystem to determine if they are actually present.
Relying on third party tools is a good starting place, but thos tools can also provide false indications if the scanning engine is based on outdated information.
The best inspection methodology is always first hand direct-to-the-source validation.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com- Hi,
Good, then i'm on the right track. We use Symantech ESM to scan and this application have found that several files that patches update are out of date version-wise.
And when i look in the system the files actually have the old version and not the updated, but Microsofts Update Agent dont report that the Security Update is needed?
Then i get confused and wonder why.
Some places Microsofts says for example that SP2 is needed, and on another page dont mention anything about SP2.. dont know what to trust.
Lets take MS09-051 (KB954155) for example:
Here: http://www.microsoft.com/technet/security/Bulletin/MS09-051.mspx
It says that 2003 SP2 is needed for KB954155.
But if i check here (KB Article): http://support.microsoft.com/kb/954155/en-us
it says: "For Windows Format Media Runtime 9.5 for all supported x86-based versions of Windows Server 2003"
Service branch: SP1GDR, SP1QFE, SP2GDR and SP2QFE.
Sooo? Is SP1 affected for KB954155?
I saw in a forum that if i for example install a pretty new Security Update, the files are updated.. and then install for example a hotfix/older Service Pack.. the files are replaced back to old versions and even if the new security update-files are replaced.. its not needed again.. can this happen?
/Maekee It says that 2003 SP2 is needed for KB954155.
And this is why it's important to discuss the *environment* before leading people off into solving problems. :-)
The reason nothing is detecting is because Windows Server 2003 SP1 became an unsupported platform in April, 2009, and nothing released since then is applicable to or will detect on a Win2003SP1 machine.
First Step: Install Service Pack 2 to EVERY Windows Server 2003 machine.
THEN re-evaluate the updates reported as Needed on the WSUS Server for those Win2003SP2 machines.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com- Marked As Answer byLawrence GarvinMVP, ModeratorTuesday, November 10, 2009 4:13 PM
- eeh.. unsupported?? what the frack..
That explains a bit, how can this get passed me then.. strange.
Do you have a link/article from MS where they explain more about this? I need this information so i can make sure
SP2 gets installed.. cant say i saw it in a forum and thats why it have to be installed.
I understand that they always to update to SP2 before getting into a Support Case, but not to release updates to SP1.. ???
/Maekee Do you have a link/article from MS where they explain more about this?
http://support.microsoft.com/?pr=lifecycle is the starting point.
http://support.microsoft.com/?pr=lifecycle#ServicePackSupport covers information specific to service packs.
Basic premise: OS service packs are only supported for 24 months after the next service pack is released. SP2 was released in March, 2007.
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
My Blog: http://onsitechsolutions.spaces.live.com- Hi,
I want to see if the information provided was helpful. Please keep us posted on your progress and let us know if you have any additional questions or concerns.
We are looking forward to your response.
Thanks
