For many of you managing a Windows 7 infrastructure today, monthly servicing is primarily about making sure that you are installing the latest security patches on your devices and staying current. To simplify the servicing process (in addition to complexity and cost), we aligned our Windows 7 servicing model—consisting of Monthly Rollups and Security-only updates—to the update model we use with Windows 10. Instead of tracking and installing multiple, individual patches, you only need to install a single, cumulative patch each month to ensure that your systems have the latest updates.
Despite this simplified servicing model, some Windows 7 devices recently experienced issues installing either the August or September 2018 Monthly Rollups or Security-only updates. The intent of this blog is to share why these issues occurred, what we are doing about it, and how this relates to Windows 10 cumulative updates.
To tell this story, we need to travel back to October of 2016, when we released the Windows 7 Service Pack 1 (SP1) servicing stack update (KB 3177467). Servicing stack updates, or SSUs, are periodic updates released to specifically service or update the software stack for Windows platforms. These are fixes to the code that process and manage updates that need separate servicing periodically to improve the reliability of the update process, or address issue(s) that prevent patching some other part of the OS with the monthly latest cumulative update (LCU).Servicing stack updates ensure that you have a robust and reliable servicing stack so that your devices receive and install Microsoft security fixes. That is why, when we released the Windows 7 SP1 servicing stack update (KB 3177467) it was marked “critical.” Because it was not categorized as a security fix; however, many organizations missed the update and decided to install only the default monthly security fixes instead of the full servicing stack update.
Fast forward to August 2018, when the Windows 7 SP1 Monthly Rollup (KB 4343900) was released. Customers who had not installed the critical Windows 7 SP1 servicing stack update (KB 3177467) were unable to install the August 30th Monthly Rollup Preview (KB 4343894), the September 11th Monthly Rollup (KB 4457144), or the September 11th Security-only update (KB 4457145)—and received “error 0x8000FFFF.” Installing the October 2016 Windows 7 SP1 servicing stack update (KB 3177467) first, and then applying the August 30th or September 11th, 2018 updates mitigates this issue.We test our monthly patches on fully patched, up-to-date systems, which is why this issue was not seen in our testing, or by any of our preview partners.
To ensure that you don’t run into issues like this again, the Microsoft Windows Servicing and Delivery team has updated all release notes with guidance to install the latest servicing stack update for your platform before installing the latest cumulative update (LCU).
Going forward
An up-to-date, healthy servicing stack is critical to ensure that monthly security fixes can be efficiently and predictably installed on devices. As noted, when a servicing stack update does not exist, there is a risk that a device cannot be patched and kept secure. This makes a servicing stack update a key part of the security patch payload. However, the Windows 7 update technology, and patch installation chronology requires the servicing stack update to be handled separately from the monthly Security-only updates.
Starting with the October 2018 Update Tuesday, we are going to reissue the Windows 7 Service Pack 1 (SP1) servicing stack update (KB 3177467) and tag it as a security update to unblock any remaining customers from installing the August 2018 or later monthly Security-only updates.
To ensure our customers do not encounter this specific situation again, going forward, if we release a new servicing stack update, it will be marked as “security,” not just “critical,” so that it is included by those customers who are installing only tagged security fixes.
A new appreciation for cumulative updates
In this post, I have addressed only Windows 7 servicing stack updates. That is because we specifically addressed this complexity and exposure in Windows 10 with the cumulative update model. Today, we test each month’s patches against a known configuration of Windows 10 before we ship a release. Each update includes all the previous fixes necessary to bring a device forward to a fully patched and current state, provided it has the latest monthly update installed.
If you have any questions, please reach out to me here on Tech Community or on Twitter @johntwilcox.