locked
MBSA and Windows Update discrepancy RRS feed

  • Question

  • I have a 64bit Windows 7 SP1 laptop with MBSA 2.2 installed.  When I run Windows Update, the updater shows that there are no updates that I need to install.  When I run MBSA, it says that there are 9 updates (one critical) and that the service pack installation has a problem.  I just ran Windows Update this past week and it notified me of updates that I needed to install.  I installed them and they all installed correctly.  Windows Update also indicates that the service pack installed correctly.  I also ran a third party tool (Belarc Advisor) which said I needed to install 9 updates to my computer.  This agrees with MBSA.  I tried installing the latest version of Windows Update over the top of the present installation (which was already the latest version), but Windows Update still says I have no updates pending.  Why the discrepancy?  Should I be worried that MBSA and Belarc Advisor disagree with Windows Update?  If so, how do I fix this issue?  Thanks in advance for your help.

     

    Saturday, August 13, 2011 2:41 PM

Answers

  • Make sure that your machine is opt'ed into Microsoft Update - not just Windows Update.  Check on Control Panel, Windows Update and look at the row that indicates, "You receive updates:".  If it indicates 'Just Windows', you're not seeing updates for all Microsoft products that may be installed on your PC.

    MBSA scans using the Microsoft Update service - which is a superset of the Windows-only Windows Update service.  This is likely the discrepancy.  Please post back to let us know if this resolved your issue.  Thanks!


    Doug Neal - Microsoft Update and MBSA
    • Proposed as answer by Doug Neal Tuesday, August 16, 2011 7:09 PM
    • Marked as answer by gracegracegrace Tuesday, August 16, 2011 11:11 PM
    Tuesday, August 16, 2011 7:08 PM
  • And this is exactly correct.

    Microsoft Update provides updates for *security updates, *update rollups, *service packs, critical updates, (non-critical) updates, feature packs, drivers, tools and definition updates.

    MBSA is a security scan tool and only reports missing *security updates, *update rollups and *service packs.

         * denotes found in both

    I hope that helps.


    Doug Neal - Microsoft Update and MBSA
    • Edited by Doug Neal Tuesday, October 18, 2011 6:35 PM
    • Proposed as answer by bkruiser Tuesday, October 18, 2011 7:42 PM
    • Marked as answer by Doug Neal Tuesday, October 18, 2011 8:23 PM
    Tuesday, October 18, 2011 6:34 PM

All replies

  • Make sure that your machine is opt'ed into Microsoft Update - not just Windows Update.  Check on Control Panel, Windows Update and look at the row that indicates, "You receive updates:".  If it indicates 'Just Windows', you're not seeing updates for all Microsoft products that may be installed on your PC.

    MBSA scans using the Microsoft Update service - which is a superset of the Windows-only Windows Update service.  This is likely the discrepancy.  Please post back to let us know if this resolved your issue.  Thanks!


    Doug Neal - Microsoft Update and MBSA
    • Proposed as answer by Doug Neal Tuesday, August 16, 2011 7:09 PM
    • Marked as answer by gracegracegrace Tuesday, August 16, 2011 11:11 PM
    Tuesday, August 16, 2011 7:08 PM
  • That was it. It's a little confusing...I just assumed Windows Updates included Microsoft Updates. Thanks for the help!
    Tuesday, August 16, 2011 11:13 PM
  • Thanks for writing back and confirming that was the issue.  Glad you're in working order now.  Cheers!
    Doug Neal - Microsoft Update and MBSA
    Wednesday, August 17, 2011 1:32 AM
  • My issue is that MBSA shows only a subset of what Microsoft Update is showing. 

    I am using the newest mbsa 2.2

    • Win Admin vuln
    • Weak pass
    • iss
    • sql
    • check sec updates
    •      advanced
    •             - scan using MS update only

    Microsoft update Result
     
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB971029)
    *Update for Lync 2010 X86 (KB 2571543)
    *Security Update for Office 2003 (KB954478)
    *Security Update for Microsoft Office 2003 (KB953404)
    *Visio 2003 Service Pack 3 (SP3)
    *Security Update for Microsoft Office Visio 2003 (KB947650)
    *Security Update for Office 2003 (KB945185)
    *Security Update for Office 2003 (KB936048)
    *Security Update for Office 2003 (KB920813)
    Update for Office 2003 (KB925251)
    Update for Office 2003 (KB919029)
    Update for Microsoft Office 2007 System (KB2539530)
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Update for Outlook Social Connector 2010 (KB2583935), 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553092), 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458), 32-Bit Edition

    MBSA result
    *2571543,Missing,Update for Lync 2010 X86 (KB 2571543) |  |
    MS07-030,Missing,Security Update for Visio 2003 (KB931281) | Critical |
    *MS07-013,Missing,Security Update for Office 2003 (KB920813) | Important |
    *MS08-013,Missing,Security Update for Office 2003 (KB945185) | Important |
    *MS08-055,Missing,Security Update for Microsoft Office 2003 (KB953404) | Important |
    *MS08-052,Missing,Security Update for Office 2003 (KB954478) | Important |
    *MS07-042,Missing,Security Update for Office 2003 (KB936048) | Important |
    *MS08-019,Missing,Security Update for Microsoft Office Visio 2003 (KB947650) | Important |
    *923620,Missing,Visio 2003 Service Pack 3 (SP3) |  |

    * denotes found in both

    Tuesday, October 18, 2011 6:18 PM
  • And this is exactly correct.

    Microsoft Update provides updates for *security updates, *update rollups, *service packs, critical updates, (non-critical) updates, feature packs, drivers, tools and definition updates.

    MBSA is a security scan tool and only reports missing *security updates, *update rollups and *service packs.

         * denotes found in both

    I hope that helps.


    Doug Neal - Microsoft Update and MBSA
    • Edited by Doug Neal Tuesday, October 18, 2011 6:35 PM
    • Proposed as answer by bkruiser Tuesday, October 18, 2011 7:42 PM
    • Marked as answer by Doug Neal Tuesday, October 18, 2011 8:23 PM
    Tuesday, October 18, 2011 6:34 PM
  • Thank you
    Tuesday, October 18, 2011 7:12 PM
  • Doug,

    Is there any chance of ever getting ALL the info out of MBSA?  (critical updates, (non-critical) updates, feature packs, drivers, tools and definition updates.) 

    We patch via SCCM but we verify with MBSA, it is a bit of a pain having different catalogues.

    Ps, I would love it if you brought back the download button on mbsa... but this time point the button to the Microsoft Update Catalog.

    thanks again!

    Brian

    Tuesday, October 18, 2011 7:26 PM
  • Sorry, but as a security scan tool, MBSA will never be designed to changed to include updates that don't have security implications.

    And the download button (and any link to a corresponding download on the MU catalog site) isn't technically possible.  It's a great idea - and we would love to provide it.  The short version is back when updates were new (2002), they only contained one EXE (one package) that contained the needed update, a Download Button would work (and it did for many years).  But in the present (2011), an update package may contain multiple files that do many things - one may be the primary payload to provide the update, another could be a neeed language pack or locale-specific improvement, another could be a 'helper' file to help an the primary payload install without problems, etc.

    The WSUSSCN2.CAB file and the MU logic that provides the links to the corresponding and individual updates within a packges couldn't distinguish which update was 'the' single update that was needed.  And it was no longer the right choice to attempt to install an update without a helper file, locale-specific DLLs or other installer helpers since it may repeatedly fail to install without the necessary helper file(s).

    So, due to MBSA's inability to programatically determine the one file that a customer should download, the fact that it was no longer true that one file could successfully (and rightly and comprehensively) resolve a security issue on its own - combined with the customer outcry that the download link we provided was (almost) always pointing to the wrong location (because of the aforementioned issues), we removed it.  There's no single download link to a single file we can ever provide that will be the right thing to do for our customers.  As a result, it's not only gone, it won't be coming back.

    I hope that helps.


    Doug Neal - Microsoft Update and MBSA

    • Edited by Doug Neal Tuesday, October 18, 2011 8:25 PM
    Tuesday, October 18, 2011 8:23 PM
  • The difference is that Windows Update will only show you Critical and Important Security Updates only including Service Packs. But MBSA will show you all the aforementioned and many more (non-security patches and tools). Hence using MBSA is more comprehensive.
    Saturday, July 14, 2012 3:53 PM
  • That's not accurate.

    Windows Update will show all classifications of updates (5 of which have an Important designation, 3 of which have a recommendated designation and 2 that are Optional) - and only for updates for the Windows operating system, no other Microsoft software.

    Microsoft Update (once you've opt'ed into Microsoft Update via the Control Panel | Windows Update applet) will also show all of the same classificaitons of updates as WU, but for all Microsoft products that are installed on the PC (Windows Update for Windows and Microsoft Updates for Office, SQL Server, Exchange, Windows Live, etc.).

    MBSA performs a Microsoft Update scan for only 3 classifications of updates: Security Updates, Service packs and Update Rollups (3 of the 5 'Important' designations).  So, while MBSA will show more updates related to security/service pack/update rollups than a PC that's only receiving updates for WIndows (Windows Updates).  It does not display all 10 classificaitons of updates, only 3.

    So MBSA scans for security issues (3 classifications) for more products than Windows Update, but doesn't scan for all classes of updates that Windows and Microsoft update provide (10 classifications).


    Doug Neal - Microsoft Update

    Saturday, July 14, 2012 4:49 PM