locked
Windows 7 Patch Supersedence RRS feed

  • Question

  • I'm trying to create a patch group to fill the gaps between Win7 SP1, the convenience rollup, and the latest monthly rollup. I've installed the convenience rollup and the latest rollup for Jan 2017 and then scanned with the baseline security analyzer. One of the updates it shows as missing is K3072630 which has been disabled in WSUS. It shows the update that supersedes it as KB3205394 which is the Dec 2016 rollup. Is there a time frame when WSUS should have the correct supersedence in place?  

    Since Jan 2017 KB3212646 replaces the Dec 2016 KB3205394, you'd think that you would also see that listed as an update that supersedes K3072630. Unless the monthly rollups really don't contain all updates from the previous month like they are supposed to.

    I'm not sure if MSBSA verifies files or just looks at installed updates.  

    Thanks,

    Glenn

    Thursday, January 26, 2017 5:24 PM

All replies

  •  It shows the update that supersedes it as KB3205394 which is the Dec 2016 rollup.

    No, KB3205394 is not the cumulative update ("rollup"), it is the "Security Only" update (not cumulative). KB3072630 is not superseded by any other update. So, if you only install the "rollups" you must also install KB3072630. Your security analyzer is correct. When I discovered this myself I posted over in the CM forum:

    Heads up: KB3072630 for Win7 and Server2008 only superseded by "December Security Only" update.


    Rolf Lidvall, Swedish Radio (Ltd)



    • Edited by Rolf Lidvall Thursday, January 26, 2017 7:50 PM clarify
    Thursday, January 26, 2017 7:41 PM
  • Here is an article explaining the difference between the Security Only and the Security Monthly updates:

    More on Windows 7 and Windows 8.1 servicing changes


    Rolf Lidvall, Swedish Radio (Ltd)

    Thursday, January 26, 2017 8:00 PM
  • Thanks Rolf,

    They must have goofed. If you look at the article for 3205394, https://support.microsoft.com/en-us/help/3205394/december-2016-security-only-quality-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1 , it states: The security fixes that are listed in this Security Only Quality Update 3205394 are also included in December 2016 Security Monthly Quality Rollup 3207752 . Installing either update 3205394 or 3207752 installs the security fixes that are listed here.

    When you check the article for Jan rollup KB3212646, https://support.microsoft.com/en-us/help/3212646, it states that:  This security update also includes improvements and fixes from update 3207752. To learn more about the improvements and fixes in this update, see the December 13, 2016—KB3207752 (Monthly Rollup) entry in the Windows 7 SP1 and Windows Server 2008 R2 SP1 update history.

    Important: The security fixes that are listed in the "Summary" section of this Security Monthly Quality Rollup 3212646 are also included in January 2017 Security Only Quality Update 3212642 . Installing either update installs the security fixes that are listed here. This Security Monthly Quality Rollup also includes improvements and fixes from previous monthly rollups.


    So I really should be able to install KB3212646 and be covered for KB3072630.

    Thursday, January 26, 2017 8:51 PM
  • There is absolutely something that's not right here. I haven't made any conclusive tests, but when I did test exactly like you did, with only rollups, KB3072630 did in fact install after the rollups install. So, I decided to keep it. 

    Rolf Lidvall, Swedish Radio (Ltd)

    Thursday, January 26, 2017 9:53 PM
  • Hi GlennSmith,

    KB3072630 is superseded by KB3205394, KB3205394 is superseded by KB3212646, so if we install the latest monthly security rollup, then, we do not need to install the pervious ones or the superseded updates.

    As for the mismatch information in WSUS server, we may check the Microsoft Update Catalog, as KB3205394 is updated on 12/12/2016, at that time, the Jan rollup haven't release, so the information may a little out of data, and the WSUS server share the same metadata with Microsoft Update Catalog:

    What more, is recommended to run Server Cleanup Wizard monthly, so that superseded updates may be deleted from Content folder.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 27, 2017 2:55 AM
  •  KB3205394 is superseded by KB3212646

    No, it's not and that's one part of the "Security Only" updates concept; they are never superseded. Explained in the link I provided in my previous post.


    Rolf Lidvall, Swedish Radio (Ltd)



    • Edited by Rolf Lidvall Friday, January 27, 2017 2:04 PM clarify
    Friday, January 27, 2017 1:49 PM
  • Hi Rolf,

    Thanks for all your input. Although you are correct that a security only update is never superseded it's corresponding  security monthly quality rollup do supersede the previous months. So December's security monthly quality rollup should have contained the same patches as the security only. I'm going to have to look up the original KB and verify the versions of the DLLs it updates to see if MSBSA is giving me an accurate assessment.

    It's odd that the WSUS view of K3072630 only shows the Dec security only update as superseding it and did not include Dec security monthly quality rollup, which should include everything that is in the security only update.

    Friday, January 27, 2017 5:31 PM
  • Hi Rolf,

    Thanks for all your input.


    Hi, no problem at all.

    So December's security monthly quality rollup should have contained the same patches as the security only.


    Correct, that's what MS said from the beginning of this new concept, but I suspect technical issues stopped them from doing this with KB3072630.

    I'm going to have to look up the original KB and verify the versions of the DLLs it updates to see if MSBSA is giving me an accurate assessment.


    Great, please post your results back here. Cheers!

    Rolf Lidvall, Swedish Radio (Ltd)

    Friday, January 27, 2017 7:26 PM