Source: JC Boysha, IT System Administrator

If you’ve been in the game awhile you know that Windows Updates used to be pretty straight-forward. They consisted of a list of patches, each with their own associated KB (or Knowledge Base) article indicating what they were patching and what the patch actually did on a target system. These updates were often classified in one of a few different ways (this list is not all inclusive, but includes the most common update variants):
      ◦ These are patches that would resolve severe malfunctions, application compatibilities,
         or reported and found system instabilities that are not security related. 

      ◦ These are patches that resolve and mitigate reported or found vulnerabilities.

      ◦ These added features and options to the Windows Operating System.
        These include things such as language packs. 

      ◦ These are cumulative hotfixes, security updates, critical updates, and other
        updates between version releases of windows.  Since Windows 8 these are
        no longer used. 

       ◦ These include updates that address non-critical, non-security related issues
         Updates in the Security Update category have one of a few different, aptly named, severities: 
              • CRITICAL
                     ◦ These updates patch Critical security flaws, for example:
                        flaws that can lead to severe problems and can easily be exploited. 
              • IMPORTANT
                     ◦ These updates patch Important security flaws, for example:
                        flaws that can lead to severe problems or can easily be exploited. 
              • MODERATE
                     ◦ These updates patch Moderate security flaws that will likely only affect a subset of users. 
              • LOW
                     ◦ These updates patch Low importance security flaws that will likely
                        not affect many users, are hard to exploit, or do not lead to a significant security issue.
              • UNSPECIFIED
                     ◦ These updates patch all other security flaws. These should be
                        reviewed by an administrator to determine if they are necessary
                        or important for your environment.

Each of these classifications of Security Updates is a modifier for the specific update. Meaning, there are Low importance Security Updates, but you will never get something crazy like a Low importance Critical Update.
As time went on, and Microsoft moved towards a more active update style (getting rid of service packs, adding the insider-track for Windows 10, etc.) it became clear that something akin to the service packs, feature packs, and other update packs was going to need to be figured out. It got to a point with these systems that installation would require hours upon hours of updating to “catch up” the system on all of the updates. 
Enter the Update Rollups. These were a middle ground between the service packs of old and the live update path that Microsoft started going down. These rollups consist of a number of patches bundled and prepared for ease of distribution. Much like the old update packs, there are a number of different kinds of update rollups. 

       ◦ Cumulative sets of hotfixes, security and critical updates, and unclassified
         updates bundled together for ease of distribution. 

       ◦ An update rollup consisting of all previous Security and Quality Updates
         for a given OS and version pair.

       ◦ An update rollup consisting of the Security and Quality Updates for a
         given OS and version pair. 

       ◦ An update rollup consisting of all of the updates rolled out in the previous
         month with malware definitions. 

This left a lot of questions for users and administrators, however, in what was in these update rollups and what they were targeting/addressing. Much of this confusion came when update rollups were given associated KB numbers. These KB articles were less detailed than previous updates, but themselves pointed you towards further KB articles. This means more leg work in determining which patches are included in which update packs, and more research to understand exactly what they’re doing. 
Ultimately, however, the rollups make building new systems easier, ensuring appropriate patch levels were met easier, and making sure the latest patches were easily installable for any Windows system, including making sure any superceded patches were appropriately discarded or ignored and the most recent patch applied. These rollups make it much easier to ensure that the most current patch level is met (without having to worry about supersedence) at the expense of doing a little review of patch notes.

There you have it, an overview of the world of Windows patching and Microsoft’s sometimes less-than-clear terminology.

Description of the standard terminology that is used to describe Microsoft software updates



FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.


If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.