From there, the details get messy. Mercer acknowledges the following:
- .Net will be updated separately, with a combined security/nonsecurity .Net Framework Monthly Rollup, and a security-only update for the Update Catalog and WSUS.
- IE11 “will be serviced in both monthly rollup and security-only update,” but it isn’t clear whether IE11 patches will be included in the new Security Update and/or Monthly Rollup. We’ve already seen situations where nonsecurity IE updates have been included in IE security updates. The distinction could become crucial in the future.
- For those who aren’t on IE11, Microsoft won’t force you to move to IE11, but “we plan to eventually include patches for whichever version of IE you currently have installed in the Monthly rollup, similar to the .Net rollup.”
- Thankfully, driver updates aren’t included in either the Security-only Update or the Monthly Rollup.
- Out-of-band security patches will be posted as soon as they’re available, then be incorporated into the subsequent Security-only Update and Monthly Rollup.
- There will be no changes to the current patching method for Vista or Server 2008.
Mercer also offers a description of a Third Tuesday “preview” of the nonsecurity part of the Monthly Rollup. We’ll have to see how that works out.
The immediate impact
The most important note for most Windows Update users: You don’t have to change anything. The Automatic Update settings (that is, Automatically download and install, Download but let me choose when to install, Notify but don’t download, or Never check) work as they always have. The “Give me recommended updates the same way I receive important updates” check box works as it has before -- if Microsoft tags an update as “Recommended” and this box is checked, the update appears checked (ready to install) in the Windows Update list. If that box is unchecked, the update appears as unchecked in the Optional category.
Microsoft’s been working on the mechanics of the patching process for the past few months. You might not have noticed, but Microsoft already has support pages with the details for Win7 and for Win8.1.
Win7 and 8.1 patching has already started morphing. So far we’ve seen three Windows 7 nonsecurity update rollups -- KB 3172605 in July, KB 3179573 in August, and KB 3185278 in September -- that first appeared as Optional/unchecked patches, then were later updated to Recommended patches. As I explained a couple of weeks ago: “the general pattern is to have a cumulative update (er, patch rollup) released as Optional, wait a month to see if anything explodes, and if not, then change it to Recommended the next month.”
If you tell your machine “Give me recommended updates the same way I receive important updates,” the nonsecurity patch rollup won’t be installed during the first Patch Tuesday, but will be installed during the following month. That’s clever, and it looks like it’ll work. The only ones who will get stung by bad nonsecurity patches are the ones who go out of their way to check and approve unchecked Optional nonsecurity patches.
Sign up for CIO Asia eNewsletters.