New Windows 7 and 8.1 patches usher in the future of rollup updating

Yesterday Microsoft released a massive set of updates for Windows 7. Strip away the politics, and KB 3125574 stands in as Windows 7 Service Pack 2. (If Microsoft released a “real” Service Pack, one would expect an extension to the Windows 7 end of support date.)

As part of that announcement, Microsoft engineer Nathan Mercer promised us a change in the way nonsecurity patches for Win7 and Win8.1 would be released:

Non-security updates for Windows 7 SP1 and Windows 8.1 (as well as Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2) will be available as a monthly rollup (fixes rolled up together into a single update).  Each month, we will release a single update containing all of the non-security fixes for that month.  We are making this change — shifting to rollup updates, to improve the reliability and quality of our updates. These fixes will be available through Windows Update, WSUS, and SCCM as well as the Microsoft Update catalog.  We hope this monthly rollup update simplifies your process of keeping Windows 7, and 8.1 up-to-date.

Right on cue, last night Microsoft released its first monthly rollup of patches for Windows 7 and Windows 8.1. You probably woke up to a new set of patches in Windows Update. On your Windows 7 systems, you should see these optional, unchecked, patches:

• KB 3123862: Updated capabilities to upgrade Win7 and 8.

This is the third version of the same patch released on Feb. 3 and again on Feb. 9. As I explained in February, it’s a mystery patch that “ties into Windows 10 upgrades through means unknown.” A lengthy Reddit diatribe sheds much heat but no light on the patch, and I couldn’t find any official details. KB 3123862 first appeared on Feb. 3 as an optional, unchecked patch. A week later it turned into a “recommended” checked patch, meaning it installed itself on computers with Automatic Update enabled. No idea if the same fate awaits users with this version.

It’s worth noting that earlier incarnations of this patch obeyed Microsoft’s GWX-blocking registry settings. My tests show that this version follows Microsoft’s rules of engagement as well. Running GWX Control Panel neutralizes pushy Get Windows X behavior. If you decide to install this optional patch but don’t intend to upgrade to Windows 10 any time soon, it would behoove you to run GWX Control Panel and nip any Win10 aspirations in the bud.

• KB 3125574: Convenience rollup update for Windows 7 SP1 and Windows Server 2008 R2 SP1.

Microsoft told us yesterday that this “convenience update” wouldn’t roll out through Windows Update. (“[It] is completely optional; it doesn’t have to be installed and won’t even be offered via Windows Update — you can choose whether or not you want to use it.”) This morning there appears to be a change of heart.

I’ve installed KB 3125574 on a couple of test machines and can verify that the GWX Control Panel blocking registry settings are honored. There’s no GWX icon in the system tray, no GWX scheduled programs, no bloated hidden folders. KB 3125574 appears as a single entry in my update history, although I haven’t yet taken the plunge to uninstall it.

What concerns me most about KB 3125574 is that we don’t have a definitive list of which KB patches are included in the uber-patch.

As described in Mercer’s TechNet blog post, KB 3125574:

Contains all the security and non-security fixes released since the release of Windows 7 SP1 that are suitable for general distribution, up through April 2016.  Install this one update, and then you only need new updates released after April 2016.

Which brings me to the following:

• KB 3156417: May 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.

This is the first of the new breed of nonsecurity patches. According to the KB article, it includes only two fixes, KB 3155039 and KB 3155218, both relatively benign. As of early Wednesday morning, the KB articles for those two fixes aren’t available.

I installed KB 3156417 on a test machine and found that only the rollup envelope patch, KB 3156417, appears in the list of installed updates. That may present a problem, because neither KB 3155039 nor KB 3155218 can be uninstalled individually. You either remove the whole rollup — both individual patches — or leave it intact.

There’s also a tag-along patch:

•  KB 3139923: MSI repair doesn’t work when MSI source is installed on an HTTP share in Windows.

It looks like this one was released separately — outside of KB 3156417 — because it applies to both Win7 and Win8.1. I guess the update rollup concept still has a few idiosyncrasies.

The Windows 8.1 patches released include KB 3123862 and 3139923, described earlier, as well as the following:

• KB 3156418: May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

This patch is odd because there was no previous massive rollup, and it isn’t clear if you have to install all previous Win 8.1 patches prior to this one. KB 3156418 contains three patches “for Home users” and 19 “for IT professionals,” all of which are listed individually in the KB article.

This new approach to nonsecurity patches will no doubt prove divisive. What if one of the component pieces of an update rollup crashes some systems? What if one of the components includes suspected “snooping” or “Win10 update” components that some Win 7 or 8.1 customers don’t want?

At this point, we don’t know.

Quality will be key. If the rolled-up patches all work flawlessly, those with tinfoil hats (including me) can figure out how to cope with the fallout. But if there’s a bad patch in a rollup, life’s going to get very complicated, very quickly.

Do the math. If there’s a 0.01 percent chance of any individual patch going haywire, and you stick 10 or 20 patches together in a rollup, what are the chances the whole rollup rolls over and plays dead?