July Patch Tuesday on July 10 was a busy one—our analysis webinar session alone ran almost 30 minutes over time! If you weren’t one of the lucky viewers to attend live, you can watch it on-demand.

Here is a compilation of the most frequently asked questions from the session, along with the answers from yours truly. Be sure to join our August session and check out my weekly patch update blogs for even more patching goodness. Please see our Patch Tuesday follow up post for further details on developing issues.

Q: With monthly rollups being available, why would one want to install “security only” updates? Is there ever a good reason to do this?

A: “Security only” updates lack a lot of the additional non-security fixes. As you can tell with the known-issues section, the list is ironically a bit larger for the rollups. I’ve found that server environments where your patching footprint would want to remain minimal is a potential scenario for security only.

Q: For servers, any benefit from doing rollup every quarter with security-only in between?

A: If I to wanted approach that method, I would most likely apply the security-only immediately after Patch Tuesday, then deploy the rollup on a mid-month basis at whatever cadence is convenient. This would allow you to remediate the newest CVEs while reducing the risk of stability issues.

Q: Does the CVE-2019-0708 for BlueKeep get patched with all future monthly rollups then?

A: Yes, that CVE should be included with all future monthly rollups.

Q: Is WannaCry (CVE-2017-0144) included in the Windows 7 and Server 2008 R2 monthly rollups?

A: Yes, that CVE should be included with all future monthly rollups.

Q: How far back does the .NET rollup go?

A: I believe October 2016 is a fair bet, however, older patches routinely get superseded by the rollup. It’s a bit vague as to how far back the .NET patches go.

Q: Do you know if the servicing-stack updates are required for the Server updates released for 2019-07?

A: The latest servicing stack updates are not an explicit prerequisite for 2019-07 patches. For Server 2016/Windows 10 1607, the May servicing stack update is at least required for the most recent security patch to apply.

Q: When SSU’s get released every month, are they always going to be a prerequisite to the monthly update or is it if you don’t have the previous month’s SSU?

A: It very much depends. This most-recent SSU is not a prerequisite. We make a patch note where explicitly applicable.

Q: Do you release patches for Chrome (the browser) Enterprise?

A: We release the Google Chrome standalone Enterprise MSI in our content to patch all instances of Chrome. 

Reduce risks of cybersecurity threats