Microsoft last week backtracked from a 2016 decision to offer Windows 7 and Windows 8.1 users only cumulative updates, saying on Friday that starting next month it will again provide Internet Explorer (IE) security patches as a separate download.
The change was a tacit admission by Microsoft that IE has lost its place of primacy in the enterprise, a fact supported by a disastrous decline in third-party measurements of the browser's user and usage shares over the past year.
"Customers have requested increased flexibility for deploying the Security Only updates for Windows independently of the fixes for Internet Explorer," Nathan Mercer, a Microsoft senior product marketing manager, wrote in a post to a company blog Jan. 13.
In August 2016, Microsoft announced that starting in October, it would offer only cumulative security updates for Windows 7 and 8.1, ending the decades-old practice of letting customers choose which patches they apply. The new maintenance model for Windows 7 and 8.1 was a direct transplant from Windows 10, which has always relied on cumulative updates.
Under the revamped regime, Microsoft issues two different security-related updates each month for commercial customers: "Security Monthly Quality Update," aka "Monthly Rollup," which includes both security and non-security fixes; and "Security Only Quality Update," a smaller-sized package that contains just security patches.
Patch experts voiced concern over the new practice, pointing out that businesses would no longer be able to refuse one security update while accepting others. That approach had been useful when reports surfaced of a flawed update that broke software or enterprise workflows, or crippled Windows computers.
But when Mercer explained why Microsoft would deliver IE security updates separately from the rest of Windows' patches, he implied it had little if anything to do with a potentially-bad fix. Instead, he said the change stemmed from the size of the updates.
"The Internet Explorer updates constituted a significant percentage of the total Security Only update package size," Mercer said. "Package size is one of the primary reasons some enterprise customers choose to leverage the Security Only update (to optimize for smaller download in limited bandwidth scenarios)."
"With this separation, the Security Only update package size will be significantly reduced," Mercer continued [emphasis in original]. "But you will need to deploy and install the Internet Explorer update to remain secure for the latest supported version of the browser." That last sentence was an important clue to the real reason businesses pushed Microsoft to separate IE from the Security Only update.
If companies were still using IE, there would be no reason to isolate its patches from the rest of the month's: They would still need to update IE. Whether in one or two downloads, the size of everything would have been similar, with zero bandwidth savings. Only if enterprises aren't running IE does separating its updates make sense.
Sign up for CIO Asia eNewsletters.