Different Windows Updates on identical servers?

I have Server1 that shows today (2/26/2018) an update needed: 2017-12 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB4054519)

I also have Server2 that shows today an update needed: 2018-02 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB4074594)

Both servers had the same previous rollup installed: 2017-10 KB4041693

Why is this?  Shouldn't both be at 2018-02 since it, I thought, includes fixes from 2017-12???

Am I safe to just download the standalone for 2018-02 and install on both servers?
LVL 6
Tim PhillipsWindows Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Do they have different BIOS levels?  That is about the only reason I could think that different updates would apply.
0
Cliff GaliherCommented:
Let windows update do its thing. Even in "identical" servers, small variances in firmware and such can cause WU to decide to withhold and update. Especially with the spectre and meltdown patch situation  I'd be inclined to rub updates then rescan. Don't force an update.
0
Tim PhillipsWindows Systems AdministratorAuthor Commented:
Both are VMs on the same host.  It is just super odd that they would both have the same previous patch level, but require different new rollup patch levels.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

JohnBusiness Consultant (Owner)Commented:
Always let any machine do its own updates. As Cliff said, do not force
0
Tim PhillipsWindows Systems AdministratorAuthor Commented:
The problem is that we have a sandbed that has a replica of Prod servers.  In one instance I have an "identical" VM in the sandbox to use to QA the updates, but that VM is asking for a more current patch than the one the Prod VM is asking for.  For auditing purposes I need to QA each patch...  

That being said, I used one of our sandbox of the sandbox VMs that had same patch listed as Prod.  I manually installed the current patch instead of the one in Windows Update and it worked just fine.  The old patch doesn't show in Windows Updates anymore.

Part of me is thinking of going the opposite route.  Maybe I should manually download the older patch that Prod is asking for and use that on the normal sandbox (even though it is requesting the newer patch).  That would be less "risky" on Prod since I'd be forcing a different update on the sandbox instead of Prod.  Does that sound better?
0
Cliff GaliherCommented:
Yes. That is definitely better.
0
Brandon LyonSenior Frontend DeveloperCommented:
For the future, if it's a big enough issue and they're supposed to be identical then you might want to look into running your own Windows Update Server. Personally I would be inclined to search for a long-term solution like that to keep them synchronized.
0
McKnifeCommented:
Be aware that for patches to be detected, the registry key that assures AV software compatibility needs to exist. That might be an explanation.
The key is
--
"HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”
--
You will run into the same problem again if the key is not set.
Please note that compatible AV software would set the key automatically. Check its presence. if not present, either the AV software is incompatible or not up2date OR no AV is installed.
0
Tim PhillipsWindows Systems AdministratorAuthor Commented:
Appeared to be the safest approach.  Even though I was able to successfully install the latest version of the patch in Dev, I'd rather flow more naturally in Prod.
0
McKnifeCommented:
Tim, did you check the registry key's presence?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Updates

From novice to tech pro — start learning today.