Windows 7 servicing stack updates: manage change & cumulative updates

[Brink]

Windows 7 servicing stack updates: manage change & cumulative updates

For many of you managing a Windows 7 infrastructure today, monthly servicing is primarily about making sure that you are installing the latest security patches on your devices and staying current. To simplify the servicing process (in addition to complexity and cost), we aligned our Windows 7 servicing model—consisting of Monthly Rollups and Security-only updates—to the update model we use with Windows 10. Instead of tracking and installing multiple, individual patches, you only need to install a single, cumulative patch each month to ensure that your systems have the latest updates.

Despite this simplified servicing model, some Windows 7 devices recently experienced issues installing either the August or September 2018 Monthly Rollups or Security-only updates. The intent of this blog is to share why these issues occurred, what we are doing about it, and how this relates to Windows 10 cumulative updates.

To tell this story, we need to travel back to October of 2016, when we released the Windows 7 Service Pack 1 (SP1) servicing stack update (KB 3177467). Servicing stack updates, or SSUs, are periodic updates released to specifically service or update the software stack for Windows platforms. These are fixes to the code that process and manage updates that need separate servicing periodically to improve the reliability of the update process, or address issue(s) that prevent patching some other part of the OS with the monthly latest cumulative update (LCU).

Servicing stack updates ensure that you have a robust and reliable servicing stack so that your devices receive and install Microsoft security fixes. That is why, when we released the Windows 7 SP1 servicing stack update (KB 3177467) it was marked “critical.” Because it was not categorized as a security fix; however, many organizations missed the update and decided to install only the default monthly security fixes instead of the full servicing stack update.

Fast forward to August 2018, when the Windows 7 SP1 Monthly Rollup (KB 4343900) was released. Customers who had not installed the critical Windows 7 SP1 servicing stack update (KB 3177467) were unable to install the August 30th Monthly Rollup Preview (KB 4343894), the September 11th Monthly Rollup (KB 4457144), or the September 11th Security-only update (KB 4457145)—and received “error 0x8000FFFF.” Installing the October 2016 Windows 7 SP1 servicing stack update (KB 3177467) first, and then applying the August 30th or September 11th, 2018 updates mitigates this issue.

We test our monthly patches on fully patched, up-to-date systems, which is why this issue was not seen in our testing, or by any of our preview partners.

To ensure that you don’t run into issues like this again, the Microsoft Windows Servicing and Delivery team has updated all release notes with guidance to install the latest servicing stack update for your platform before installing the latest cumulative update (LCU).

Going forward

An up-to-date, healthy servicing stack is critical to ensure that monthly security fixes can be efficiently and predictably installed on devices. As noted, when a servicing stack update does not exist, there is a risk that a device cannot be patched and kept secure. This makes a servicing stack update a key part of the security patch payload. However, the Windows 7 update technology, and patch installation chronology requires the servicing stack update to be handled separately from the monthly Security-only updates.

Starting with the October 2018 Update Tuesday, we are going to reissue the Windows 7 Service Pack 1 (SP1) servicing stack update (KB 3177467) and tag it as a security update to unblock any remaining customers from installing the August 2018 or later monthly Security-only updates.

To ensure our customers do not encounter this specific situation again, going forward, if we release a new servicing stack update, it will be marked as “security,” not just “critical,” so that it is included by those customers who are installing only tagged security fixes.

A new appreciation for cumulative updates

In this post, I have addressed only Windows 7 servicing stack updates. That is because we specifically addressed this complexity and exposure in Windows 10 with the cumulative update model. Today, we test each month’s patches against a known configuration of Windows 10 before we ship a release. Each update includes all the previous fixes necessary to bring a device forward to a fully patched and current state, provided it has the latest monthly update installed.

If you have any questions, please reach out to me here on Tech Community or on Twitter @johntwilcox.

Source: Windows 7 servicing stack updates: managing change and appreciating cumulative updates - Microsoft Tech Community - 260434

 

[Paul Black]

Good evening Brink,

Could you clarify something for me please?
Can you have a look at my post #6 here: Win 7 sp1 installation issue

There is an opinion that although the KB3020369 [Servicing Stack Update - April 2015] update has been superseded/replaced by the KB3177467 [Servicing Stack Update - Oct 2016] update, that it should be used instead of KB3020369!
It appears that this is only the case if you are not installing KB3125574 [The Convenience Rollup Package - May 2016]. If you are installing KB3125574 then you must install the KB3020369 first.

My question is, after a clean install, if you were to use the update method used in my post, which many people have done and are still doing apparently, do you now use KB3177467 [Servicing Stack Update - Oct 2016] instead of KB3020369 [Servicing Stack Update - April 2015]. Previously, if you were going to install KB3125574 [The Convenience Rollup Package - May 2016], you had to install KB3020369 first. If you were not going to install KB3125574 then you would use KB3177467.

I know that there are other options available now to accomplish this, but I am just curious.

Thanks in advance.

 

[ThrashZone]

Hi,
Another attempt to sneak in kb2952664 is all
They got it in on x99 dag nab-it lol my bad forgot all about it

Caught it on x299 though
Restoring system image shortly on x99 how dare MS keep doing that one :mad2:

 

[Brink]

Good evening Brink,

Could you clarify something for me please?
Can you have a look at my post #6 here: Win 7 sp1 installation issue



My question is, after a clean install, if you were to use the update method used in my post, which many people have done and are still doing apparently, do you now use KB3177467 [Servicing Stack Update - Oct 2016] instead of KB3020369 [Servicing Stack Update - April 2015]. Previously, if you were going to install KB3125574 [The Convenience Rollup Package - May 2016], you had to install KB3020369 first. If you were not going to install KB3125574 then you would use KB3177467.

I know that there are other options available now to accomplish this, but I am just curious.

Thanks in advance.

Personally, I just install whatever available updates there are in Windows Update.

Of course having a good base system image to use with all the updates is better.

 

[Paul Black]

Hi Brink, thanks for the reply, it is appreciated,

The main reason that people go down that route is obviously to cut down on the amount of updates to install. I was just curious.

Thanks again.

 

[Ranger4]

I also install all the Windows Updates as they come to hand & I have never had a problem with them. So Brink you are not alone.

 

[Brds7t7]

My question is, after a clean install, if you were to use the update method used in my post, which many people have done and are still doing apparently, do you now use KB3177467 [Servicing Stack Update - Oct 2016] instead of KB3020369 [Servicing Stack Update - April 2015]. Previously, if you were going to install KB3125574 [The Convenience Rollup Package - May 2016], you had to install KB3020369 first. If you were not going to install KB3125574 then you would use KB3177467.

I know that there are other options available now to accomplish this, but I am just curious.

Thanks in advance.

I haven't used the Convenience rollup on any installs, but I was always under the impression that newer servicing stacks should supersede the older ones, so I don't see why the Convenience rollup shouldn't work with KB3177467 installed previously.

 

[Brds7t7]

I've just set up a quick VM and installed both the newer Servicing Stack and Convenience Rollup without issue. So, it will install fine with the later SS installed. Whether it causes other issues though, I'm not sure. These are MS updates we're talking about!

 

[lehnerus2000]

Hi,
Another attempt to sneak in kb2952664 is all
They got it in on x99 dag nab-it lol my bad forgot all about it

Caught it on x299 though
Restoring system image shortly on x99 how dare MS keep doing that one :mad2:

I've just read that MS will be including the Telemetry "upgrades" in future cumulative updates for W7.

 

[erpster4]

Hi Brink, thanks for the reply, it is appreciated,

The main reason that people go down that route is obviously to cut down on the amount of updates to install. I was just curious.

Thanks again.

the KB3177467 update does supersede / replace the KB3020369 update as Windows Update no longer offers KB3020369. Microsoft has officially said so.

KB3177467


direct quote by Microsoft from that link:

Update replacement information

This update replaces the previously released update 3020369.

and yes, KB3177467 can be installed first before installing the KB3122574 convenience rollup as I have done this many times without problems