I have had this question come at me from a dozen directions today, so I thought I would provide my thoughts on these changes in a more consumable and easily shared format.
First off, lets summarize the changes. Microsoft has announced that it is changing the servicing model for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. There will be a monthly roll-up similar to Windows 10 where all security and non-security updates will be bundled in a single cumulative update. This means that starting in October the OS and IE updates will consolidate from several individual updates into a single cumulative bundle. Come November the next cumulative will include the October updates as well and so on.
Microsoft is also going to provide a security only bundle for each month which is a little different. The security bundle will allow enterprises to download only the security updates, but it will still be a single package with all security updates for that month bundled together in a single package.
.Net Framework will have a separate monthly roll-up and security only option that will update only existing versions of .Net installed on the system. This update would not upgrade the .Net version to a newer one.
We will start with my favorite one. Q: Did this change surprise you?
Chris: No, I actually made a prediction internally and had a bet with one of our content team members. The prediction occurred when Microsoft first released the Convenience Roll-up. I predicted that Microsoft would make this change before the year was out. It just seemed like a logical next step. Tylere owes me a six pack of good craft beer now.
Q: Why did Microsoft make this change?
Chris: They state similar reasons in their blog post that I linked to above. I will state one other reason that I expect had a little something to do with it. This was one of the final barriers to many companies making the switch to Windows 10. Being able to pick and choose which updates to deliver to systems, especially in the case where something breaks had many companies holding back from moving to Windows 10. Moving to the bundled approach has removed this convenience, although they are providing the security only bundle for each month. One thing to note, in the write-up Microsoft did not state that this security only bundle was cumulative so we will have to wait and see if they are cumulative or not.
Q: Why is the cumulative bundled approach a deterrent for enterprises?
Chris: The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle which may include many security fixes or breaking a business critical application if the two conflict. On pre Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire months patch bundle.
If you recall the Windows 10 cumulative for January that broke the Citrix VDA client, Microsoft and Citrix had to coordinate a window of opportunity for Citrix to release an update to resolve the issue. In this case it was a pretty quick turn around and customers with the VDA client installed on Windows 10 were able to apply the VDA update a week later then apply the Windows 10 January cumulative.
It did not seem too bad with just one week of lag time, but what if the cumulative breaks an application that is home grown or one that is from a vendor who may no longer be in business? If a fix is either not forthcoming or comes months later this means that you cannot apply the next months cumulative or the month after, etc until the issue is fixed. I have talked to many companies about concerns regarding the cumulative bundled service model for this reason.
Q: What does this mean for the Shavlik or LANDESK products I use to patch my environment?
Chris: Like Windows 10 for us it is business as usual. We will continue to support updates for these updates as they release. It really is just a change from 6-10 OS patches each month down to 1 patch that needs to be applied for the OS and IE. So expect a cumulative roll-up or security only bundle for the OS, a .Net roll-up, and other Microsoft apps like Office, SQL, SharePoint mixed in depending on the month.
As always, we will be keeping an eye on any changes that develop and providing guidance and recommendations. Sign up for our Patch Tuesday webinars to keep up to date on the latest from Microsoft and 3rd Party Vendors like Adobe, Google, Mozilla, Apple, Oracle and more. From our Patch Tuesday page you can find future webinar registrations, previous Patch Tuesday infographics, presentations, and on-demand webinar playback from previous months.