Critics immediately laid into Microsoft over Windows 10 updates, lambasting both the consolidated and cumulative nature of the patches but also the move to vague and generic descriptions of the underlying vulnerabilities and what the fixes addressed. They expanded their critiques to Windows 7 and Windows 8.1 when in October Microsoft adopted the same update methodology for those older OSes.
"Bulletins cannot be used to report compliance in the enterprise," said Goettl, because they are inconsistent with all-or-nothing updates. The disparity -- bulletins described individual updates, while the updates themselves contained multiple patches that could not be separated -- made the bulletins useless.
But the informational content of the bulletins will remain valuable, Goettl argued, even if updates are packaged differently than before. Microsoft agreed: In a FAQ about the database, the company said, "By February, information provided in the new Security Updates Guide will be on par with the set of details available in traditional security bulletin webpages."
The Security Updates Guide's preview has not met that mark; some information found in the January Patch Tuesday bulletins, for example, was missing from the appropriate entries in the online database.
"There will be a lot of people who will be very put out if [Microsoft] neglects [things like] what's being exploited," said Goettl of the support document replacements. "The key indicators are still very important."
Goettl was willing to give Microsoft the benefit of the doubt for now, but was adamant that the Redmond, Wash. company had to make good on its vow to retain the bulletins' content. "By February, Microsoft is going to have to prove to us that this is a good thing for us," he said.
Sign up for CIO Asia eNewsletters.