.Net Framework Security and Quality Rollup vs Security Only Update - Files not Being Patched - WSUS RRS feed

  • Question

  • Here's the scenario:

    Our server admins are distributing the month "Security Only" updates for .NET Framework via WSUS yet our vulnerability scanner triggered with these two alerts:

    -  Security and Quality Rollup for .NET Framework (April 2017) [KB 4014559]

    \Windows\Microsoft.NET\Framework\v4.0.30319\Wminet_utils.dll has not been patched.
        Remote version : 4.0.30319.36387
        Should be      : 4.0.30319.36388

    - Security and Quality Rollup for .NET Framework (May 2017) [KB 4019112]

    \Windows\Microsoft.NET\Framework\v4.0.30319\system.dll has not been patched.
        Remote version : 4.0.30319.36391
        Should be      : 4.0.30319.36392

    We have since patched the servers using the "Security and Quality Rollup" patch verus the "Security Only" patch.  My question is - why are updates to these files not include in the "Security Only" patches?  My server team is reluctant to distribute the "Security and Quality Rollup" patches as it is against MSFT's best practices as stated in the following link:


    "The Security Only Update is recommended for production machines."

    "The Security and Quality Rollup is recommended for consumer and developer machines."

    Is anybody else seeing this?  If so, can you provide me with some insight?

    Thursday, July 6, 2017 3:27 PM

All replies

  • Hi Sir,

    Based on my understanding , these DLL files might be only replaced  by "quality rollup" pathes .

    I mean , "security update" replaced  the file which has security risk not contains the files above .

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Elton_Ji Tuesday, July 11, 2017 11:11 AM
    • Proposed as answer by Elton_Ji Sunday, August 13, 2017 3:05 PM
    Tuesday, July 11, 2017 11:10 AM