Our existing SharePoint admins left for another company and two persons who were doing desktop support are filling in for them so they are new at installing patches. I know it is odd, but that is a situation caused due to budget shortfall.

They could not install the patch to address CVE-2020-1147 and message in log was "Installation Failure: Windows failed to install the following update with error 0x80070661: Security Update for Windows (KB4565579)"

I saw the information at https://support.microsoft.com/en-us/help/4565579/kb4565579

They told me the server has March 12, 2019 servicing stack update (SSU) (KB4490628), latest SHA-2 update (KB4474419). They don't know if the servers have Extended Security Updates (ESU) Licensing Preparation Package (KB4538483)
and are checking on it.

1. If the servers don't have Extended Security Updates (KB4538483) is there a way to install this security update? We may not have the budget to buy it this year because of low revenue stemming from the pandemic

2. If the servers absolutely need Extended Security Updates (KB4538483) can that be purchased for 4 servers?

3. What else needs to be checked to ensure there is no other factor causing the security updates to fail?

P.S. I posted this at https://social.technet.microsoft.com/Forums/sharepoint/en-US/e866ba33-bce9-4f07-9044-f018080f6b90/fa... but did not know if that was the right forum or not.