Windows Cumulative Patching

Windows Cumulative Patching

In order to improve the quality of Windows, and to reduce the complexity of the patching process, Microsoft introduced Windows cumulative patching. This was introduced in Windows 10, and in order to explore these in more detail, we need to look at how patches are divided.

Quality Updates

Quality Updates are a single monthly cumulative patch containing security fixes, reliability fixes, bug fixes, and other fixes. These cumulative patching updates supersede the previous month’s update. Normally, they contain no new features. Beginning with Windows 10 1703, there will be one mandatory cumulative patching update on the second Patch Tuesday and possibly multiple cumulative updates throughout the month with added non-security content. To stay on the secure side, you need to at minimum deploy the second Patch Tuesday portion. The other patches can be optionally deployed on some or all systems. This is what is now being known as “Patch Tuesday”.

Feature updates are done twice per year, each spring and fall, with new capabilities. Feature updates are technically simple deployments using in-place upgrades, driven by existing tools with built-in rollback capabilities.

Each Quality Update raises the version number of your Windows 10 release. You can see the Quality Update release build number as the last set of digits of WINVER.exe (for example, 778). The feature update raises the version itself (for instance, 1903) and the build number’s first set of digits (for example, 18362). The SKU of Windows 10 is in the 4th line (for example, Windows 10 Pro).

Windows Version showing the different parts of a build/patches.
Current Windows 10 winver.exe screen

 

A comprehensive and always-updated list with content of each cumulative update can be found at the Windows 10 and Windows Server 2016 update history page at https://support.microsoft.com/en-us/help/4000825/windows-10-windows-server-2016-update-history.

A Windows 10 release information page with a table containing all build numbers, release dates, and KB entries can be found at https://technet.microsoft.com/en-us/windows/release-info

Cumulative Updates

Cumulative updates (CU) are now all or nothing, meaning they are no longer possible to exclude single patches if they break something in your environment. Due to always fully patched systems, there should be a reduced risk of incompatibilities, but it is still possible. So you should pay special attention to the second Patch Tuesday CU and test/deploy it as fast as possible as it contains new security fixes. If there are any problems, report them to Microsoft right away so they can fix it. Meanwhile, you can only uninstall/not deploy this CU and risk the security flaws. When you uninstall a CU, your system automatically falls back to the last installed CU version. For non-security parts, you can test 1-3 extra CUs per month.

These Quality Updates can grow very fast to sizes of 1 GB and more. To reduce the WAN traffic and/or workload on your on-premises servers, you need to configure the Delivery Optimization (when using WU), BranchCache (when using WSUS), SCCM peer delivery (when using SCCM), or the solution-specific peer delivery (when using third-party).

In our previous article, we introduced Windows patching, to show the Microsoft approach of patching up their Operating System. This article took us a step further, and outlined the mystery of how these fixes are divided.

References

Diver, Richard. “Why cumulative updates?” Windows 10 for Enterprise Administrators. Birmingham, UK: Packt Publishing, 2017