none
Why would Microsoft put an updated/patched file into an old KB instead of pushing out a new KB? KB4512508 RRS feed

  • Question

  • My job, among other things, is making sure critical and exploitable vulnerabilities are patched as fast as possible on our assets.  One of our vulnerability scanners just dinged me on devices to update KB4512508 which it dinged me about last month.  After looking into it.  The original patch updated %systemroot%\system32\ntoskrnl.exe from version 10.0.18362.30 to 10.0.18362.295.  Now the same KB is updating the ntoskrnl.exe file to version 10.0.18362.418.  Are KB's turning into UWP apps?

    Can someone please explain why this isn't being pushed out with a different KB number?  Wouldn't a system that already has KB4512508 installed potentially ignore this update thinking it is already patched?

    Wednesday, October 16, 2019 3:58 PM

Answers

  • Hello,

    There can be multiple reasons, for examples, but not limited to either of these two.

    The KB may be causing serious issues with a certain class of machines, so they fix the issue in this KB so not to cause any more issues for those machines.

    The KB may not completely fix one of the security vulnerabilities that it is supposed to, leaving customers exaposed when they think they are in compliance.

    Generating a new KB number would mean waiting until the next monthly release schedule, depending on the timing this could be out one to two months from the time the issue is discovered and is available.

    Ignoring this is dependent on the metadata in the file, as to whether this is superseding or not the KB that is already installed.  The installer would see the metadata and determine whether the update


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by oooREo_oREeeO Wednesday, October 16, 2019 8:07 PM
    Wednesday, October 16, 2019 5:56 PM

All replies

  • Hello,

    There can be multiple reasons, for examples, but not limited to either of these two.

    The KB may be causing serious issues with a certain class of machines, so they fix the issue in this KB so not to cause any more issues for those machines.

    The KB may not completely fix one of the security vulnerabilities that it is supposed to, leaving customers exaposed when they think they are in compliance.

    Generating a new KB number would mean waiting until the next monthly release schedule, depending on the timing this could be out one to two months from the time the issue is discovered and is available.

    Ignoring this is dependent on the metadata in the file, as to whether this is superseding or not the KB that is already installed.  The installer would see the metadata and determine whether the update


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by oooREo_oREeeO Wednesday, October 16, 2019 8:07 PM
    Wednesday, October 16, 2019 5:56 PM
  • Awesome.  Great explanation.  Thank you for the knowledge.
    Wednesday, October 16, 2019 8:06 PM
  • Hi,
    Please feel free to let us know if you need further assistance.
    Best Regards,
    Charlotte Tang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 21, 2019 9:02 AM