locked
Products and Classification question RRS feed

  • Question

  • Hi,

    environment: Windows 7, 8.1, 2008R2, 2012R2 + Office

    I want to be sure that my previous selections in Products and Classifications: Critical and Security Updates are enough for getting all Security and Critical patches (Cumulative Updates now) for Windows 7, 8.1 and Servers2008R2.

    Should any other be selected for optimal security?

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Thursday, November 24, 2016 1:49 PM

Answers

  • this article explains the meaning of most of that

    https://support.microsoft.com/en-au/kb/824684


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Saturday, November 26, 2016 2:56 AM
    Friday, November 25, 2016 11:48 PM
  • 'Quality' is used by MSFT to mean: improves the reliability/quality of the product/component.
    Fixes bugs/defects, improves performance, improves stability, etc
    Does *NOT* correct a security vulnerability...

    So, by your focus on "Security", you don't want "Quality" ?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Saturday, November 26, 2016 2:56 AM
    Friday, November 25, 2016 11:51 PM
  • I want security and quality :)

    Could theoretically, Critical Updates be unchecked in Products and Classifications, so Security Updates will cover all?

    Prior to October 2016, If you unselected the classification for "Critical Updates", leaving only the classification for "Security Updates" selected, you would not receive any "Quality" updates.

    With the introduction of the new rollups ("Security Only Quality Update" and "Security Monthly Quality Rollup"), both of these rollups incorporate 'security' updates, and so the classification for "Security Updates" will offer you a mixture of sec_only and sec+qual.

    If you approve the sec_only update, you just get security.
    If you approve the sec+qual update, you get both.
    There is no need to approve both sec_only & sec+qual, because the sec_only update is effectively a subset of the sec+qual update.
    The sec_only update is released at the same time as the sec+qual, and, the sec+qual update is immediately superseded by the sec+qual update.

    Note that at the moment, Office updates are not following this method.
    This method currently applies to 'Windows' and '.NET Framework'.

    https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

    https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

    https://blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net-framework-monthly-rollup/

    https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/

    https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollup-october-2016/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Sunday, November 27, 2016 4:00 AM
    Sunday, November 27, 2016 2:18 AM
  • Extremely clear explanation! 

    > Note that at the moment, Office updates are not following this method.

    1. Noted it. Do you know if MS planning to make it cumulative too?

    2. With this new update methods, can I conclude that freshly installed Windows 7 Pro will pull just a last month available Sec+Qual ignoring 8 years of updates for bringing a system up to date?

    3. Would System Clean up will "clean" all previous updates leaving just last month New method patch?

    1. Not sure about that. I haven't read/heard if MSFT will do that. (I suspect not, since the focus these days seems to be on C2R rather than MSI technology for Office)

    2. MSFT have mentioned that they intend to progressively add more/older fixes into these new rollups, but only sometime next year. Until that happens, you can expect a bigger patching burden.
    But, if you are using WindowsUpdate (not WSUS/ConfigMgr), WU does use an approach to not-offer superseded updates. For WSUS/ConfigMgr, this is not the case, i.e. superseded updates will be offered along with superseding updates.

    3. Not quite sure what you mean? Once updates are installed, the local database will always show those updates are installed, this never changes, in my experience, regardless of whether a rollup or CU is subsequently applied. (even if the rollup or CU actually replaces all the files previously applied). This is probably more to do with the SxS/GAC and how multiple 'versions' of files are retained in SxS/GAC, but perhaps also as a record/history. (that's a guess on my part ;)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Sunday, November 27, 2016 1:46 PM
    Sunday, November 27, 2016 7:33 AM

All replies

  • Hi pob,

    Yeah, it is.

    Here is a method to check what "Products and Classifications" you need to check. You may check Microsoft Update Catalog, and search for specific updates, then you may see what products and classifications it belongs to:

    https://catalog.update.microsoft.com/v7/site/Home.aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, November 25, 2016 2:51 AM
  • So now, they all are security? No critical?

    I like the word Quality :)... what it really means?

    You can read it "Security Only" or "Only quality" :) .


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, November 25, 2016 12:07 PM
  • this article explains the meaning of most of that

    https://support.microsoft.com/en-au/kb/824684


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Saturday, November 26, 2016 2:56 AM
    Friday, November 25, 2016 11:48 PM
  • 'Quality' is used by MSFT to mean: improves the reliability/quality of the product/component.
    Fixes bugs/defects, improves performance, improves stability, etc
    Does *NOT* correct a security vulnerability...

    So, by your focus on "Security", you don't want "Quality" ?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Saturday, November 26, 2016 2:56 AM
    Friday, November 25, 2016 11:51 PM
  • I want security and quality :)

    Could theoretically, Critical Updates be unchecked in Products and Classifications, so Security Updates will cover all?

    Thanks Don.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Saturday, November 26, 2016 2:59 AM
    Saturday, November 26, 2016 2:56 AM
  • I want security and quality :)

    Could theoretically, Critical Updates be unchecked in Products and Classifications, so Security Updates will cover all?

    Prior to October 2016, If you unselected the classification for "Critical Updates", leaving only the classification for "Security Updates" selected, you would not receive any "Quality" updates.

    With the introduction of the new rollups ("Security Only Quality Update" and "Security Monthly Quality Rollup"), both of these rollups incorporate 'security' updates, and so the classification for "Security Updates" will offer you a mixture of sec_only and sec+qual.

    If you approve the sec_only update, you just get security.
    If you approve the sec+qual update, you get both.
    There is no need to approve both sec_only & sec+qual, because the sec_only update is effectively a subset of the sec+qual update.
    The sec_only update is released at the same time as the sec+qual, and, the sec+qual update is immediately superseded by the sec+qual update.

    Note that at the moment, Office updates are not following this method.
    This method currently applies to 'Windows' and '.NET Framework'.

    https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

    https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

    https://blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net-framework-monthly-rollup/

    https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/

    https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollup-october-2016/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Sunday, November 27, 2016 4:00 AM
    Sunday, November 27, 2016 2:18 AM
  • Extremely clear explanation! 

    > Note that at the moment, Office updates are not following this method.

    1. Noted it. Do you know if MS planning to make it cumulative too?

    2. With this new update methods, can I conclude that freshly installed Windows 7 Pro will pull just a last month available Sec+Qual ignoring 8 years of updates for bringing a system up to date?

    3. Would System Clean up will "clean" all previous updates leaving just last month New method patch?

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Sunday, November 27, 2016 4:11 AM
  • Extremely clear explanation! 

    > Note that at the moment, Office updates are not following this method.

    1. Noted it. Do you know if MS planning to make it cumulative too?

    2. With this new update methods, can I conclude that freshly installed Windows 7 Pro will pull just a last month available Sec+Qual ignoring 8 years of updates for bringing a system up to date?

    3. Would System Clean up will "clean" all previous updates leaving just last month New method patch?

    1. Not sure about that. I haven't read/heard if MSFT will do that. (I suspect not, since the focus these days seems to be on C2R rather than MSI technology for Office)

    2. MSFT have mentioned that they intend to progressively add more/older fixes into these new rollups, but only sometime next year. Until that happens, you can expect a bigger patching burden.
    But, if you are using WindowsUpdate (not WSUS/ConfigMgr), WU does use an approach to not-offer superseded updates. For WSUS/ConfigMgr, this is not the case, i.e. superseded updates will be offered along with superseding updates.

    3. Not quite sure what you mean? Once updates are installed, the local database will always show those updates are installed, this never changes, in my experience, regardless of whether a rollup or CU is subsequently applied. (even if the rollup or CU actually replaces all the files previously applied). This is probably more to do with the SxS/GAC and how multiple 'versions' of files are retained in SxS/GAC, but perhaps also as a record/history. (that's a guess on my part ;)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by pob579 Sunday, November 27, 2016 1:46 PM
    Sunday, November 27, 2016 7:33 AM
  • sorry, when I asked: "Would System Clean up will "clean" all previous updates leaving just last month New method patch?"  I ment not System but Disk CleanUP by Cleanmgr.exe... Then I checked again about cleanmgr... basically it not cleans up superseded KBs from the OS. So my question is not valid.

    As we know Windows 7 is under extended support only (Mainstream is ended) and is intended to provide security only updates. With the introduction of Quality there will be probably OS improvement updates(like registry, Microsoft video Control). I just think that in environment with some old legacy application Quality updates may create real problems... So may be the option for separating Security Only and Quality updates will be useful for some group of computers.

    Thanks for explanations!


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Sunday, November 27, 2016 1:46 PM