Microsoft
MicrosoftYes, the LCU (latest cumulative update) is still cumulative and contains both security and non-security updates. There are no changes in the update payload within the cumulative update. Only change was to how it is stored.
I'll try my best to explain how the new system works. In my explanation I'll refer to 3 update types - Full Update, Express Update, and now the new Smaller Update. Each of these updates types are just different formats, but the end result on your system would be the same thing - a fully cumulative update that gives you all the security and non-security patches for the Windows OS in one package.
Full Update - contains compressed version (similar to ZIP style compression) of every component and binary that has changed in the OS since RTM
Express Update - The server contains compressed deltas from multiple baselines for every component and binary that has changed since RTM. Your machine chats back and forth with the server (the server could be Windows Update itself, or it could be a local WSUS server) to identify which byte ranges it needs and then downloads those ranges. Your device then hydrates those byte ranges back into complete files on your device and then does an installation. By multiple baselines, I mean that it includes deltas from specific points in time. Generally we use last months LCU (N), the month before (N-1) all the way back N-5 months, and RTM. So the server express file could be 6-7GB while the end device only downloads 150-200mb.
Small Update - The package contains the compressed delta from RTM for each file (Forward Delta), and the delta back to RTM (Reverse Delta). Essentially this means instead of containing multiple baselines, it only has 1 baseline (RTM). As an example, if your device were on the September LCU and then you installed October, your machine would apply the September reverse delta to go back to RTM and then the October forward delta to go to October (10B). It does this in a transaction so there is no possibility of your device being stuck in the middle somewhere - either the full update succeeds or does not. Since all the content is in the package itself, no server negotiation is needed. Because it only has a single baseline (from RTM) it will sometimes be larger than an express update for someone that was on the previous months patch. But the size difference should be minimal, and without the server negotiation and on device analysis it uses less CPU during download and install.
What is really great about the new smaller package format is that same file is available from Windows Update, WSUS, and Catalog. So even if you download from HTTPS (Catalog) and double click to install you get the smaller experience. Unlike express that only worked via Windows update or WSUS (or 3rd parties solutions that support the express protocol).
To make this change, there were modifications needed in both the package format itself, and in the update stack on the client. Making those types of changes to older versions of the OS would be risky (the update stack is absolutely critical). With a new version of the OS we have many months of both internal testing as well as Windows Insider previews that we can use to validate the changes at scale and reduce risk.
Mike