Impending cumulative updates unnerve Windows patch experts

'Hoping for the best, expecting the worst,' says patch maven about October change to cumulative updates for Windows 7

Thinkstock

Microsoft's decision to force Windows 10's patch and maintenance model on customers running the older-but-more-popular Windows 7 has patch experts nervous.

"Bottom line, everyone is holding their breath, hoping for the best, expecting the worst," said Susan Bradley in an email. Bradley is well known in Windows circles for her expertise on Microsoft's patching processes: She writes on the topic for the Windows Secrets newsletter and moderates the PatchMangement.org mailing list, where business IT administrators discuss update tradecraft.

Bradley's anxiety stems from Microsoft's announcement last month that beginning in October it will offer only cumulative security updates for Windows 7 and 8.1, ending the decades-old practice of letting customers choose which patches they apply.

"Individual patches will no longer be available," Nathan Mercer, a senior product marketing manager, said in an Aug. 15 post to a Microsoft blog.

Instead, Microsoft will transplant the Windows 10 maintenance model onto Windows 7 and 8.1: They will receive updates that cannot be broken into their parts.

"They're all concerned," chimed in Chris Goettl, program product manager for patch management vendor Shavlik, referring to customers he has talked to. "This will be extremely painful for some."

Lost control

While many consumers and small businesses -- those that rely on the Windows Update service to patch their Windows 7 and 8.1 PCs -- may not notice the change, that's won't be true for businesses that test updates before deploying them en masse. Since IT administrators will no longer be able to selectively apply patches, they will not know which individual fix broke their devices, applications or workflow.

Goettl had explained the problem in an August post to the Shavlik blog.

"The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle -- which may include many security fixes -- or breaking a business critical application if the two conflict," Goettl said. "On pre-Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire month's patch bundle."

The ability to use the one-patch exception Goettl talked about has ended: Microsoft will begin serving up über-updates on Oct. 11, the next Patch Tuesday.

That has been the biggest issue with the turn toward the Windows 10 model.

"There is a real concern that there will be an issue that because we have to keep the business operational, we will not be able to install the update rollup," said Bradley. "And then as a result, we [will] leave ourselves exposed to risk of attack."

If not between-a-rock-and-a-hard-place, Microsoft's new direction has put enterprises -- and customers of all sorts who have selectively applied updates -- with an either-or choice. Either accept the bundle update, and any problems that one or more cause, or decline the entire collection, discarding the majority of patches because a minority was flawed.

"Enterprises will lose the control that they have had," said Goettl. "They won't be able to handle exceptions anymore."

Why the change?

Microsoft said it grafted the Windows 10 patch process onto Windows 7 and 8.1 to bring a whole host of improvements to the older OSes. Last month, Mercer ticked off everything from higher-quality updates to reduced administrative overhead as benefits. But, as when the company defended the practice at its introduction last year with Windows 10, its strongest argument revolves around fragmentation.

"Historically, we have released individual patches for [Windows 7 and 8.1], which allowed you to be selective with the updates you deployed," Mercer said. "This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems."

Outsiders weren't so sure.

"This was one of the final barriers to many companies making the switch to Windows 10," contended Goettl. "Being able to pick and choose which updates to deliver to systems, especially in the case where something breaks, had many companies holding back from moving to Windows 10."

That Microsoft might be pushing the new patch system to discourage customers from staying with Windows 7 (Windows 8.1 never achieved any meaningful usage in business) may be backed by history. In past instances, Microsoft has typically declined to make changes to a Windows edition during its last five years of support, a period pegged as "Extended" and one in which non-security fixes are generally not generated.

Windows 7 has been in Extended Support since January 2015; the operating system is slated to exit all support in three years and four months, in January 2020.

Windows Vista, for example, which will fall off the support list even sooner -- in April 2017 -- will not get the patch overhaul.

But Microsoft's scheme of nudging customers to migrate to Windows 10 by denying Windows 7 the flexibility of individual patches could backfire, countered Bradley.

"The response I see from enterprises is that this is taking time away from their testing/deployments of Windows 10," Bradley said, adding that the Microsoft's switcheroo means resources that might have been devoted to a migration will instead have to be assigned to revamping Windows 7 patch planning and deployment.