[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Security-Only or Monthly-Rollup: That is the update question.

Published on
7,730 Points
Last Modified:
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
On May, 27 2016; Nathan Mercer announced new changes on the modus operandi for publishing updates. 
The purpose of the changes introduced:
  1. to reduce the number of updates needed on a fresh installation.
  2. to reduce the variability on the set of updates installed on each computer that can be the cause of sync and dependency errors.
  3. to reduce the complexity of testing each update.
  4. to reduce the time needed by the Windows Update client to scan for needed updates.
  5. to reduce the complexity of finding and applying the right patches.
Read more here.

A few months later, on August 15, there was another announcement from the same author that established the actual details for the new Microsoft Update's philosophy:
  1. From October 2016 onwards, Windows will release a single Monthly Rollup on the second Tuesday of current month that addresses both security issues and reliability issues in a single update. (This is a cumulative update) Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current.
  2. Also from October 2016 onwards, Windows will release a single Security-only update on the same second Tuesday. This update collects all of the security patches for that month into a single update. (This is a non-cumulative update). The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices.
The products that will follow these rules are:
  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Net Framework (All versions)
  • Internet Explorer 11
  • Internet Explorer 10
So, these are the basic rules of the game so far, until Microsoft decides to change them again.

Recommendations for WSUS Administrators:

Following in the tracks on Microsoft's Blog I have found a few recommendations for WSUS administrators that I will describe next.

1. Avoid approving Security-Only updates AND Monthly-Rollup updates on the same WSUS server for the same product.

Although the updates, present on the Security-Only package, are included in the Monthly-Rollup package, both are treated independently by WSUS. This means that if any computer needs the Security-Only update then it needs the Monthly-Rollup update too. To avoid this incongruity you need to take a decision:
  • You can decline Security-Only updates and approve Monthly-Rollup updates. This way you avoid to download and install twice the same update files.This is the Microsoft's recommended way to do it.
  • You can decline Monthly-Rollup updates and approve Security-Only updates. This is not recommended by anyone, but there may be a very specific environment where you need strictly only security updates maintaining low bandwidth and resource consumption.
If you have a set of devices that need only those security updates but nothing else, and you have another set of devices with normal update needs, then it is better to install a separated WSUS server for each set of devices, that way you avoid approving Monthly-Rollup and Security-Only updates on the same server. If you go and approve both types of updates on the same server, all devices will report that they need both updates, but you already know that it is a redundant overload that must be avoided to succeed.

2. Enable support for Express Installation Files on your WSUS options when using Monthly-Rollup updates.

You can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact on the clients side.

UpdateFilesOptions.pngI must say that using Express Installation files will increase the internet bandwidth and local storage consumption, so be ready for that. Take the following Microsoft image as an example:

And that is all for today.

Thanks for reading and good luck to everyone.


Featured Post

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Join & Write a Comment

This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month