Microsoft's decision to force Windows 10's patch and maintenance model on customers running the older-but-more-popular Windows 7 has patch experts nervous.
"Bottom line, everyone is holding their breath, hoping for the best, expecting the worst," said Susan Bradley in an email. Bradley is well known in Windows circles for her expertise on Microsoft's patching processes: She writes on the topic for the Windows Secrets newsletter and moderates the PatchMangement.org mailing list, where business IT administrators discuss update tradecraft.
Bradley's anxiety stems from Microsoft's announcement last month that beginning in October it will offer only cumulative security updates for Windows 7 and 8.1, ending the decades-old practice of letting customers choose which patches they apply.
"Individual patches will no longer be available," Nathan Mercer, a senior product marketing manager, said in an Aug. 15 post to a Microsoft blog.
Instead, Microsoft will transplant the Windows 10 maintenance model onto Windows 7 and 8.1: They will receive updates that cannot be broken into their parts.
"They're all concerned," chimed in Chris Goettl, program product manager for patch management vendor Shavlik, referring to customers he has talked to. "This will be extremely painful for some."
While many consumers and small businesses -- those that rely on the Windows Update service to patch their Windows 7 and 8.1 PCs -- may not notice the change, that's won't be true for businesses that test updates before deploying them en masse. Since IT administrators will no longer be able to selectively apply patches, they will not know which individual fix broke their devices, applications or workflow.
Goettl had explained the problem in an August post to the Shavlik blog.
"The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle -- which may include many security fixes -- or breaking a business critical application if the two conflict," Goettl said. "On pre-Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire month's patch bundle."
The ability to use the one-patch exception Goettl talked about has ended: Microsoft will begin serving up über-updates on Oct. 11, the next Patch Tuesday.
That has been the biggest issue with the turn toward the Windows 10 model.
"There is a real concern that there will be an issue that because we have to keep the business operational, we will not be able to install the update rollup," said Bradley. "And then as a result, we [will] leave ourselves exposed to risk of attack."
If not between-a-rock-and-a-hard-place, Microsoft's new direction has put enterprises -- and customers of all sorts who have selectively applied updates -- with an either-or choice. Either accept the bundle update, and any problems that one or more cause, or decline the entire collection, discarding the majority of patches because a minority was flawed.
Sign up for CIO Asia eNewsletters.