Patch elephantiasis: Black Tuesday brings 1GB downloads

If you're trying to install this week's Black Tuesday patches, you may have to wait (and wait and wait) for almost 1GB of downloads. Here's why

If you're running a fully up-to-date version of Windows 8.1 and have Office 2013 installed on your machine, this week's Patch Tuesday could bring a rude surprise. Microsoft Update may want to download a gigabyte of data just to bring your machine up to snuff. One Windows 8.1 Update/Office 2013 owner reports that this Black Tuesday requires an 864MB download. My main production machine, which was 100 percent up to date on Monday, now wants to download 990MB in Black Tuesday patches.

If I had to download this Tuesday's patches over my 4G connection, I'd blow through half of my AT&T data cap for the entire month just to patch Windows and Office. Once.

Graybeards in the crowd (I'll confess to the gray, not the beard) may remember the first Patch Tuesday, on November 11, 2003, when Microsoft showed the forebearance to hold off on patching until it had accumulated four Security Bulletins -- MS03-048 through MS03-051 -- and released them all at once. A little more than 10 years later, the volume of a single Patch Tuesady has grown from a megabyte to a gigabyte, and the amount of patches has grown from a few to many dozens at a time.

Why?

Microsoft's throwing everything but the kitchen sink into Patch Tuesdays. Once the provenance of, you know, security patches, Black Tuesday has grown into the garbage dump of the computer industry. Here's what Microsoft shoveled out this week, with reporting compliments of KB 894199, Microsoft's master list. Start with this week's security updates:

KB2871997 - Security Update for Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB2898845 - Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012

KB2898847 - Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R

KB2898849 - Security Update for Microsoft .NET Framework 4.5, 4.5.1 and 4.5.2 on Windows 8 and Windows Server 2012

KB2898850 - Security Update for Microsoft .NET Framework 4.5.1 and 4.5.2 on Windows 8.1 and Windows Server 2012 R2

KB2898851 - Security Update for Microsoft .NET Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

... and on and on ... I count seven more.

Then you finally get to the "real" security patches, with honest-to-goodness Security Bulletins. MS14-022 has one KB entry; MS14-025 has two (which is to say, two separate bundles of patches); MS14-026 has ten; MS14-027 has two; MS14-028 has two; MS14-029 has two.

Those are just the security updates, with or without accompanying Security Bulletins. Wait'll you see the non-security patches:

KB2852386 - Update for Windows Server 2008 R2 x64 Edition

KB2920540 - Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB2932074 - Update for Windows 8.1

KB2932354 - Update for Windows 8.1 and Windows 7

KB2934950 - Update for Windows Server 2008 R2

KB2934953 - Update for Windows Server 2008 R2

KB2934957 - Update for Windows Server 2012 Essential

KB2938459 - Update for Windows 8 and Windows RT

KB2939153 - Update for Windows 8.1, Windows RT 8.1, Windows 8, and Windows RT

... and about ten more.

But wait! That's not all. We get the usual Malicious Software Removal Tool, and the "high priority" KB 947821 System Update Readiness Tool for Win 7, Server 2008 R2, and Vista. Then there are the changes to existing security content (I count four) and the changes to existing non-security content (of which there are three).

What do all of these patches actually patch? That's easy. Almost every one of the security patches says:

Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.

... and that's the extent of the description.

Microsoft usually releases patches on the second and fourth Tuesdays of the month. Once upon a time, the second Tuesday was for security patches (invariably with accompanying Security Bulletins), while the non-security patches rolled in on the fourth Tuesday. Heaven only knows what the fourth Tuesday in May will bring, but here's what we've seen since April's Black Tuesday:

  • Wednesday, April 16: two non-security patches, changes to one security patch (MS14-018), and changes to the metadata (but not the programs) for two non-security patches
  • "Fourth" Tuesday, April 22: one non-security patch and changes to the metadata for a non-security patch
  • Thursday, April 24: non-security patch
  • Monday, April 28: out-of-band security patch for Flash Player in Internet Explorer
  • Thursday, May 1: out-of-band security patch for Internet Explorer (MS14-021)
  • Monday, May 5: two new security patches, plus one patch of a patch to make the Windows 8.1 Update installer behave itself. (Pro tip: the patch didn't work.)

Last month, the 481MB Visio 2013 patch brought howls of pain. This month's Black Tuesday booty runs twice as heavy.

You have to wonder how long Microsoft can keep this boat afloat -- and take pity on folks who need to download their patches over slow or expensive lines.

This story, "Patch elephantiasis: Black Tuesday brings 1GB downloads," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies