Home
Microsoft

Windows 7 servicing stack updates: managing change and appreciating cumulative updates

For many of you managing a Windows 7 infrastructure today, monthly servicing is primarily about making sure that you are installing the latest security patches on your devices and staying current. To simplify the servicing process (in addition to complexity and cost), we aligned our Windows 7 servicing model—consisting of Monthly Rollups and Security-only updates—to the update model we use with Windows 10. Instead of tracking and installing multiple, individual patches, you only need to install a single, cumulative patch each month to ensure that your systems have the latest updates.

Despite this simplified servicing model, some Windows 7 devices recently experienced issues installing either the August or September 2018 Monthly Rollups or Security-only updates. The intent of this blog is to share why these issues occurred, what we are doing about it, and how this relates to Windows 10 cumulative updates.

To tell this story, we need to travel back to October of 2016, when we released the Windows 7 Service Pack 1 (SP1) servicing stack update (KB 3177467). Servicing stack updates, or SSUs, are periodic updates released to specifically service or update the software stack for Windows platforms. These are fixes to the code that process and manage updates that need separate servicing periodically to improve the reliability of the update process, or address issue(s) that prevent patching some other part of the OS with the monthly latest cumulative update (LCU).Servicing stack updates ensure that you have a robust and reliable servicing stack so that your devices receive and install Microsoft security fixes. That is why, when we released the Windows 7 SP1 servicing stack update (KB 3177467) it was marked “critical.” Because it was not categorized as a security fix; however, many organizations missed the update and decided to install only the default monthly security fixes instead of the full servicing stack update.

Fast forward to August 2018, when the Windows 7 SP1 Monthly Rollup (KB 4343900) was released. Customers who had not installed the critical Windows 7 SP1 servicing stack update (KB 3177467) were unable to install the August 30th Monthly Rollup Preview (KB 4343894), the September 11th Monthly Rollup (KB 4457144), or the September 11th Security-only update (KB 4457145)—and received “error 0x8000FFFF.” Installing the October 2016 Windows 7 SP1 servicing stack update (KB 3177467) first, and then applying the August 30th or September 11th, 2018 updates mitigates this issue.We test our monthly patches on fully patched, up-to-date systems, which is why this issue was not seen in our testing, or by any of our preview partners.

To ensure that you don’t run into issues like this again, the Microsoft Windows Servicing and Delivery team has updated all release notes with guidance to install the latest servicing stack update for your platform before installing the latest cumulative update (LCU).

Going forward

An up-to-date, healthy servicing stack is critical to ensure that monthly security fixes can be efficiently and predictably installed on devices. As noted, when a servicing stack update does not exist, there is a risk that a device cannot be patched and kept secure. This makes a servicing stack update a key part of the security patch payload. However, the Windows 7 update technology, and patch installation chronology requires the servicing stack update to be handled separately from the monthly Security-only updates.

Starting with the October 2018 Update Tuesday, we are going to reissue the Windows 7 Service Pack 1 (SP1) servicing stack update (KB 3177467) and tag it as a security update to unblock any remaining customers from installing the August 2018 or later monthly Security-only updates.

To ensure our customers do not encounter this specific situation again, going forward, if we release a new servicing stack update, it will be marked as “security,” not just “critical,” so that it is included by those customers who are installing only tagged security fixes.

A new appreciation for cumulative updates

In this post, I have addressed only Windows 7 servicing stack updates. That is because we specifically addressed this complexity and exposure in Windows 10 with the cumulative update model. Today, we test each month’s patches against a known configuration of Windows 10 before we ship a release. Each update includes all the previous fixes necessary to bring a device forward to a fully patched and current state, provided it has the latest monthly update installed.

If you have any questions, please reach out to me here on Tech Community or on Twitter @johntwilcox.

11 Comments
Regular Visitor

Hi John,

 

Thanks for the update. I would like to say that, overall, the new cumulative update system for Windows 7 has made it easier for our organisation to keep our machines up to date, so good work on using this strategy.

 

Jay

Super Contributor

Maybe new CU update are better to bring up to date a new installation, but in general they install longer (i'm seeing this as Windows 2008 servers updating twice as fast by pulling 8-10 separate updates, than Windows 2008 R2/2012 updating with just a few CU updates). When all PCs in the network are patched and up to date, installing CU updates is longer downtime. I'm looking forward what will going to Express updates bring to the table (as described in other blog post).

 

As for this issue. We have been installing critical updates along with security for 15+ years. I guess it was worth it :) They are called critical for a reason. Although, i would vote to get rid of one category and just move all important update to security, so it would be easier to triage new updates every month (in WSUS one has to make a combined view or go twice through every category).

Occasional Visitor

Sources are exactly the same as in 2016 "Update for Windows Server 2008 R2 x64 Edition (KB3177467)". Could you please explain why this is needed now *again* although the 2016-10 version is present (on server 6.1)? I understand the "security" tagging but we never missed any SSU. Thank you. 

Occasional Visitor

With the introduction of the monthly rollup updates is was also announced that "Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past. Our goal is eventually to include all of the patches we have shipped in the past since the last baseline, so that the Monthly Rollup becomes fully cumulative and you need only to install the latest single rollup to be up to date.  ( Further simplifying servicing models for Windows 7 and Windows 8.1).

Are there still plans to merge all old updates in the monthly rollup? It would have prevented exactly this issue.

Regular Visitor

Can the Servicing Stack update be uninstalled?

Visitor

Sorry to say that, but your detailed explanation has a great form, but regarding the substance... it makes little sense to me.

I have Win7 Professional and just installed 4 updates:

KB4459922 - 2018-10 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 and Server 2008 R2 for x64
KB890830  - Windows Malicious Software Removal Tool x64 - October 2018
KB2310138 - Definition Update for Microsoft Security Essentials (Definition 1.277.868.0)
KB4462923 - 2018-10 Security Monthly Quality Rollup for Windows 7 for x64-based Systems

Immediately after this update finished another one popped up with sole KB3177467 - "2018-10 Update for Windows 7 for x64-based Systems". After I did read its details and your explanation, I found KB3177467 clearly installed on 2016-10-17, which name then was just "Update for Windows 7 for x64-based Systems".

So...
What's the reason for repeating this 2-years-old KB?
Why it's triggered by some of these recent 4?
And what about your charge: "however, many organizations missed the update and decided to install only the default monthly security fixes instead of the full servicing stack update."? HUH?

...and BTW, I don't remark experiencing any update process performance improvement back then - it was just transparent, not like those dozen Win-10-related KBs which enabled additional telemetry (over and over again), installed locked tasks and stunning advertising (like stunning that it's even considered), which crumbled my PC and required me to track them down, uninstall and deliberately prevent further installation, because they were constantly re-proposed, even when hidden.

My point is: if you need to inform us about something, just go directly to the substance, then usually 3-10 sentences will make the trick and you'll have hard time producing something that has no ties to reality. On the other hand, if you want to veil something, then at least partly pay attention to the substance.

Frequent Visitor

Hello John,

 

Thank you for the information.  Just to confirm, this SSU update must be installed first, meaning separately, before other patches?  We use SCCM to deploy security patches, and I am currently preparing this month's patching when I read about installing 3177467 before installing October 2018 updates.  

 

Thank you,

 

Occasional Visitor

One issue here. KX3177467 is marked as 'exclusive' which means that once it's been integrated offline into a Windows image using "dism /image:WindowsMount /add-package", no other packages can be added. This means that it's now not possible to build an image with all security updates integrated. KB3177467 will need to integrated and the recent security packages will need to be installed online, slowing down and complicating the installation process. 

Occasional Visitor
Removing the choice for people to pick and choose what updates they want and trying to defraud people claiming it's a security upgrade "because we think you're too stupid to install updates yourself"? Come off it, we all know this is a result of people so many people choosing to disable Windows 10 telemetrics spyware "upgrades" trying to be forced onto people using Windows 7...
Occasional Visitor

The "security" update KB3177467 blocks all Java-based programs in IE 11. Since this "security" update cannot be uninstalled, are there other settings that would override such blocks and enable Java programs to run in IE 11? I tried every possible ActiveX control setting to no avail. I am migrating away from Java but will not finish for another few months. I am stuck! Thanks.

Occasional Visitor

@Herbert Beyenbach, the SSU won't do anything to IE settings. Can you please go into more details as to what exactly doesn't work, and how to repro? And this is specifically win7sp1 (not server), with the latest LCU and SSU, correct?