KB 2919355: You can't patch the desktop like a phone

Windows 8.1 Update problems -- still unsolved -- drive home an important point: Changing patch rules by fiat is a recipe for disaster on the desktop

Page 2 of 2

Sometimes Microsoft has prerequisite patches. For example, prior to installing Internet Explorer 11, IE10, and Windows 7 SP1, Microsoft required specific updates -- generally to the installation routines -- that handled odd situations. If you tried to install Windows 7 SP1, for example, and didn't have the prerequisite patch, the SP1 installer would slide it in for you.

Sometimes Microsoft requires you to patch Microsoft Update before it'll install any new updates. That's reasonable (although it's been abused in the past to sneak in changes to Genuine Advantage, prompting lawsuits and uncommon amounts of vitriol).

When Microsoft releases a new version of Windows or a Service Pack, it continues to supply security patches to the old version of Windows or the Service Pack for years. Some people have this bizarre idea that issuing a Service Pack absolves Microsoft from maintaining an older version -- not so. Here's Microsoft's official statement on the subject:

When a new service pack is released, Microsoft will provide either 12 or 24 months of support for the previous service pack, varying according to the product family

Windows 8.1 Update, of course, isn't a Service Pack. It's a, uh, er, an Update to a, uh, um, point-one release. Neither "updates" nor "point-one releases" are covered in Microsoft published support commitments, as best I can tell. Microsoft can make up the rules as it goes along -- which is certainly what we're seeing.

Frequently, Microsoft issues security patches that are dependent on earlier security patches. (Many of them completely supersede earlier patches, but that's a horse of a murky color.) When Microsoft issues a security patch that hinges on earlier security patches, it has an unambiguous (if complex) policy, documented in KB 824994:

A cardinal point exists for the original release version of the product and each service pack (SPx). GDR and hotfix copies of the same files are put in different folders in the software update package for each cardinal point in the product's release cycle. For example, before Service Pack 1 (SP1), security updates, critical updates, updates, update rollups, drivers, and feature packs for Windows Server 2003 contain two copies of the same files in RTMGDR and RTMQFE folders. After SP1 is released, Windows Server 2003 security updates, critical updates, updates, update rollups, drivers, and feature packs may contain copies of the same files in RTMGDR and RTMQFE folders and SP1GDR and SP1QFE folders. Files in the <cardinal point>GDR folders contain only GDR-class fixes. Files in the <cardinal point>QFE folders are cumulative and contain both the GDR-class fix and all previous hotfixes that affect the included binaries. Because Microsoft provides support for the current and the next most recent service pack (N and N-1), security updates, critical updates, updates, update rollups, drivers, and feature packs may contain up to six versions of the same files.

In English: If Microsoft issues a patch that requires earlier patches, the installer will apply the earlier patches prior to installing the current patches. That's even true when Microsoft has a Service Pack in the middle, so I'd certainly expect it to be true with point-one releases and Updates. There's not a hint of this "you must install Windows 8.1 Update prior to receiving new patches for 8.1" horsepucky in KB 824994.

If Microsoft wants to change the rules, that's fine. In many cases, it will have to change the rules in order to make rapid release possible. I understand that -- and sympathize. But if Microsoft changes the rules, it should tell us how (and hopefully why).

Changing patch rules by fiat may be acceptable practice in a phone world, but it's a recipe for disaster on the desktop.

This story, "KB 2919355: You can't patch the desktop like a phone," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

| 1 2 Page 2