!WARNING! monthly rollups do NOT include security updates!!

figured I should let everyone know this is vital

you'd think that by installing monthly rollups you can dispense with the monthly security updates - that's FALSE

I tested this myself, I downloaded the KB4056897 security only update (it's suppose to be the meltdown/specter patch)

next I downloaded and installed all the monthly rollups starting from KB4054518 (the last rollup before KB4056897) to the march one KB4088875
and I installed them one by one
(I know they're suppose to be cumulative but just in case ^^ )


next: I tried to install KB4056897 - and it worked (windows did not show an error message)
windows is always suppose to throw an error if you try to install an update that been superseded by another update which you installed before it says "this update's not applicable" or something but here it said nothing & let me install the fix

in other words none of the monthly rollups include this security update nor (probably) any of the other security updates too

The rollups do include the Security updates too. It's always been designed by MS that you can install rollups over Security-only updates or vice versa.

They're still classed as separate updates so can still be installed. The rollups include the Security-only updates, plus additional fixes and "features" not included in the Security-only updates. So they can be installed over the top of the Security-only updates.

Yes, it does complicate things & can be confusing, but that's the way MS designed it when they changed the servicing model for 7 & 8.1.

Brds7t7 said:

The rollups do include the Security updates too. It's always been designed by MS that you can install rollups over Security-only updates or vice versa.

how that possible

if the rollup includes the security updates then windows is suppose to detect that if I try to install a security update on top of a (more recent) rollup

generally speaking if you try to install an update over a more recent update that includes all the fixes of the first update, then windows detects that & blocks that update (it's called superseding) so it's the same thing with the security updates & monthly rollups no? monthly rollups supersede (include) security updates

No idea - you'd have to ask Microsoft about that. It's been a bit of a confusing mess for a lot of people after they changed the servicing model.

Believe me though, they do include the Security updates.

Brds7t7 said:

Believe me though, they do include the Security updates.

alrite but how do you know? how can we verify? if Windows doesn't say it (by not preventing security update on top of update) then how can you know for sure?

You can run the Microsoft Baseline Security Analyser to check.

Download Microsoft Baseline Security Analyzer 2.3 (for IT Professionals) from Official Microsoft Download Center

Also, MS wouldn't push out updates called Security Monthly Quality Rollups or Security-only Quality updates and then not include Security updates, that just doesn't make sense. Plus they would be leaving users/businesses vulnerable all over the world if that were the case.

More info on the Servicing model changes here:

More on Windows 7 and Windows 8.1 servicing changes Windows for IT Pros

Here's a quote from the article:

"UPDATED 12/5/2016: Starting in December 2016, monthly rollups will not supersede security only updates. The November 2016 monthly rollup will also be updated to not supersede security only updates. Installing the latest monthly rollup will ensure the PC is compliant for all security updates released in the new servicing model."

It is confusing though, I've had some months quality rollups install over Security-only updates one month and then not another and vice versa. I've tested in many VMs going all the way back to 2016. I can't answer why it does it with some and not others though. But, the Security fixes are 100% included in the updates.

Brds7t7 said:

I've had some months quality rollups install over Security-only updates one month and then not another and vice versa. I've tested in many VMs going all the way back to 2016. I can't answer why it does it with some and not others though.

Hello. I am an average desktop PC user. This month after installing the other updates the usual way in Windows Updates, after restarting my PC, a desktop notification said another update was available, KB4088875 (March monthly rollup). I had a lot of trouble that is unresolved trying to get it to install, and even when the installation seemed to go okay and I was prompted to restart the computer, after the computer restarted while the "Preparing to configure Windows Updates" thing was happening where it shows the percentage complete after which your desktop returns, it would stop after 13% every time and the message "Failure configuring Windows Updates. Reverting changes. Don't turn off your computer." would appear, and then the screen with that message would remain there for over two hours before the desktop returned.

Is that anything like what happened when the monthly rollup didn't install for you? If you are knowledgeable about Windows 7 and have time, would you read my post about what happened, answer a few questions I included in the post about attaching logs from the CBS folder or the entire folder and how large the large the CBS folder should be, whether or not my MGADiag report says I have bad software that might be preventing me from getting updates, and if updating Malwarebytes without restarting before the first attempt to install KB4088875 might have caused my problems installing KB4088875. Here is the thread I started about it. Failure Configuring Windows Updates Message While PC is Restarting

If you haven't time or interest, that's okay. Thanks for reading this and for posting the information you did in this thread. Sorry if I shouldn't have asked in this thread about what seemed like it might be related to my thread (but only because I don't know what I'm talking about).

Hi Efdy, I can take a look at that thread tomorrow night sometime as I have some family stuff to do this weekend, so a little short on free time. Although, when it comes to the CBS logs there are users on here who read through that stuff a lot more than I do. Logs usually just make my eyes glaze over.

My VM issues aren't that the updates have failed, but they just won't be applicable for install. I don't install the rollups on any of my main systems, just in VM environments.

Though I have noticed a few users, even some senior ones on here run into issues when trying to install certain monthly rollups. Some of them seem a little temperamental to install. Have you tried some simple solutions like downloading the offline installer, disconnecting the internet and shutting down all AV/Firewall protections, etc before trying to install it? Anything that could be interfering with the install might need to be shut down before attempting the install.

You might want to hold off installing the March rollup anyway as I believe they've been pulled. Some users reported the update had disappeared from Windows Update.

I'll reply on your thread tomorrow evening, so as not to hijack this thread.