With Windows 10, Microsoft moved a cumulative update (CU) model where all security fixes are bundled together and delivered during Patch Tuesday, but these security CUs also contained other fixes.
Michael Niehaus has now revealed on his blog (New Update Options for Windows 10 1703) that Microsoft will be separating security fixes from general improvement fixes and delivering each as separate CUs. So, now instead of an all or nothing scenario, customers can choose to deploy security patches and then deliver non-security CUs later. In WSUS, these will also be labeled separately as Security Updates and just Updates.
Michael says this will give organizations the flexibility of choice to…
- Deploy each of them just like the updates on “Update Tuesday.” This enables the organization’s PCs to get the latest fixes more quickly.
- Deploy each of them to a subset of devices. This enables the organization to ensure that these new non-security fixes work well, prior to those same fixes being included in the next “Update Tuesday” cumulative update which will be deployed throughout the organization.
- Selectively deploy them, based on whether they address specific issues affecting the organization, ahead of the next “Update Tuesday” cumulative update.
- Don’t deploy them at all. There is no harm in doing this since the same fixes will be included in the “Update Tuesday” cumulative update (along with all the new security fixes).
The reality with the cumulative updates has been that Microsoft’s patch quality continues to suffer, leaving customers with broken software or broken devices. By separating security from non-security, customers can keep their environment secure and have a better chance of minimizing problems until the non-security CUs can be fully tested.
As always, though, its still comical to watch Microsoft try to retrain customers on what to call “Patch Tuesday.”
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!