Tuesday brought another massive round of patches from Microsoft, but the real losers could turn out to be Server 2003 customers.
The toll from Microsoft's Patch Tuesday includes 13 security bulletins, three of them critical; one new and one updated Security Advisory; one re-issued .Net security patch; KB 3037580, which "may have to be reinstalled;" 34 re-issued non-security patches for Windows, several of which have been updated multiples times; and a whopping 48 re-issued non-security patches for Office.
Saints preserve us.
Complaints are starting to roll in, and many people report that their PCs hang after installing the patches and rebooting; Windows just sits there at "Stage 1 of 3" or "Stage 3 of 3" in the installation process. Fortunately, the old three-finger salute seems to solve the problem.
KB 3049563, this month's massive Internet Explorer cumulative patch, supersedes KB 3038314, which was last month's massive Internet Explorer cumulative patch. No definitive word yet on whether the new version continues to block adding search engines and/or fails with installer error 80092004.
Contradictory advice on the .Net 4.5 patch re-release ,KB 3037580, has some users wagging their heads. In the official patch update list, Microsoft says "This update may have to be reinstalled," but the KB article clearly says, "Notice/May 12, 2015 /This security update has been re-released and contains updated files. We recommend that you apply this security update."
Our old friends KB 3022345 and KB 3048043 are back -- for the fourth and third time, respectively -- having just been re-re-released last week. Those are the patches for fixing screen flickering in Windows 8.1 and enabling the "Diagnostic Tracking Service" in Windows 7, 8.1, and Server 2012 R2. I still have no idea what, precisely, the Diagnostic Tracking Service patch does and how it relates to the Customer Experience Improvement Program, which used to be an opt-in program.
We also have yet another critical kernel patch, MS15-044/KB 3057110, because a sufficiently sentient font can take over your computer, even if the font is sitting on a Web page. That still boggles my mind.
But the real losers this month are easy to pick: Server 2003 customers just got thrown to the sharks. Microsoft's official end-of-life page for Server 2003 spells it out: "Migration is worth it! Windows Server 2003 support is ending July 14, 2015/What does end of support mean for you? After July 14, Microsoft will no longer issue security updates for any version of Windows Server 2003."
Except, well, Microsoft might decide to end support for Server 2003 early, without any warning, advice, or help -- or even a good workaround, never mind a refund.
Although Windows Server 2003 is an affected product, Microsoft is not issuing an update for it because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. Microsoft recommends that security-conscious customers upgrade to a later operating system in order to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide.
You might not be surprised to discover that the note only exists near the middle of the MS15-050 article. The KB article, somehow, forgets to mention the lapse. Up at the top of the KB article, you can see this admonition:
Support for Windows Server 2003 will end on July 14, 2015 / Microsoft will end support for Windows Server 2003 on July 14, 2015. This change will affect your software updates and security options.
That is, unless Microsoft unilaterally decides to end your support a couple of months early.
Patch Tuesday is alive and well -- and Black as ever.