Tell me if you've heard this one before: Microsoft has pulled a patch -- KB 2949927, a patch so important it rated its own Security Advisory -- and there's no official notification that the patch was yanked, no explanation as to why it's been pulled, and no instructions for removing (or keeping) the patch if it did somehow get installed.
Let's start with the less upsetting patch, KB 2952664. It was released to the Automatic Update chute on Oct. 14, this month's Black Tuesday. The ensuing uproar was so bad that by the next day I had already posted an article explaining how the patch failed to install on many Windows 7 machines, throwing off error 80242016.
I also pointed to the simple steps for fixing the problem. "Simple," that is, if you're adept at using Windows 7's Add or Remove Programs to get rid of a Windows patch that's months old, and you aren't intimidated by running Windows Update manually. Count my Aunt Martha out.
Yesterday Microsoft re-issued the patch. The bits in the patch itself weren't changed, but the installer was. If you have Automatic Update enabled, you probably saw two days of error messages saying the patch couldn't be installed due to error 80242016, then suddenly, yesterday or today, the update goes through and you don't see the error message any more -- which is cool, as long as you ignored the error message and kept Automatic Update turned on.
Take-away lesson: Ignore Windows error messages. Aunt Martha can handle that.
The more disconcerting patch, KB 2949927, was one of the four botched patches I mentioned yesterday. It adds SHA-2 hash signing and verification capability to Windows 7. Trying to install it on some machines led to multiple reboots failing with error 80004005 -- a nice way to spend your Tuesday afternoon. And Wednesday. And Thursday morning.
There was a complex workaround (enabling Automount?!) proposed by Pavel Stastny on the TechNet forum and summarized on Reddit, but the fix doesn't appear to work on all machines. In the end, Microsoft yanked the patch -- without warning or explanation -- on Thursday afternoon. As the situation stands early Friday morning, the KB article doesn't describe the multiple-reboot failure problem, nor does the Security Advisory. The patch has been pulled, though: It doesn't appear on a Windows Update scan, and the direct download links in the Security Advisory lead to "We are sorry, the page you requested cannot be found" pages.
What should you do if the patch was installed? I have no idea, and Microsoft isn't saying a word.
Still no news on the other bad patches, KB 3000061, the problematic kernel mode driver patch which Microsoft is pursuing, or KB 2984972, the Remote Desktop Connection patch for Windows 7, which is breaking Microsoft App-V programs left and right.
I've been saying it in print for a decade now: Automatic Update is for chumps.