Why you should worry about Windows 10 cumulative updates

As long as it works, Microsoft's cumulative patching sounds fine -- but a single screw-up could have ongoing repercussions

Why you should worry about Windows 10 cumulative updates
Credit: Thinkstock

Yesterday, Blair Hanley Frank from IDG News Service reported on an interview with Windows VP Joe Belfiore, describing Microsoft’s continued refusal to break apart Windows 10 cumulative updates. He quotes Belfiore:

We've involved a lot of companies and real-world IT management organizations in talking through the implications ... and our feeling talking with them is that the net result that you get is better… We've seen lots of examples of situations where end users experienced lower reliability or unpredictable system performance because of a relatively untested combination of updates. So our net intent is to improve the quality overall, for everybody. And we believe that this method will deliver that.

While Microsoft’s intentions are laudable (in some respects), they’re entirely dependent on one important point: In order for this to work, Microsoft must deliver patches for Windows 10 that are a lot better than the ones we've seen for every earlier version of Windows.

With eight Cumulative Updates for Windows 10 now under our belts, I think we can draw a few conclusions and point to several examples of how this decision may play out.

In case you wondered, I think rapid-fire cumulative patching is a bad idea -- and a few thousand people who signed last week’s petition asking for more transparency and better blocking tools likely agree. I’ve kvetched at length about Windows 10’s stealthy patches, always hoping Microsoft would see the light. Apparently that won't be the case anytime soon.

Here’s my informal tally of the Cumulative Updates

  • Aug. 5, CU 1 = KB 3081424
  • Aug. 12, CU 2 = KB 3081436
  • Aug. 14, CU 3 = KB 3081438
  • Aug. 18, CU 4 = KB 3081444
  • Aug. 27, CU 5 = KB 3081448
  • Sept. 8, CU 6 = KB 3081455
  • Sept. 15, CU 6.1 = KB 3095020 for Russian, Bulgarian, Uzbek, Kyrgyz, Mongolian, and Tajik locale tags
  • Sept. 30, CU 7 = KB 3093266
  • Oct. 13, CU 8 = KB 3097617, revised on Oct. 16

Most of those Cumulative Updates arrived with absolutely no description. KB 3081444 (CU 4), we’re told, includes the IE security fix described in MS15-093. KB 3081455 (CU 6) contains the varied patches described in MS15-094, MS15-095, MS15-097, MS15-098, MS15-101, MS15-102, and MS15-105. KB 3097617 (CU 8) contains the changes in MS15-106. That's all we know.

There have been several recent Windows 10 patches that aren’t Cumulative Updates: KB 3087040 fixed Flash in IE (my main production system shows KB 3087040 was installed two different times on Sept. 22, twice on Sept. 23, one more time on Oct. 1, and again on Oct. 13). There was a presumably different individual patch for Flash in IE and Edge, KB 3105216, on Oct. 19.

All told, we have eight cumulative updates since July 29, one stunted CU that only applies to eastern European locales, and two individual updates for IE and Edge. One of the individual updates was installed on my main machine six times, although the official Microsoft patch log lists it as going out only once, on Sept. 21.

Here’s the problem: As long as all of the patches work reasonably well, grouping together security patches with performance tweaks, bug fixes, other modifications, and the proverbial electronic kitchen sink doesn’t present a problem. However, when one of the component patches heads south, the whole house of cards can fall.

So far, the record has been clean. We’ve seen complaints galore, of course. Each CU was accompanied by a loud chorus of cries from Windows 10 customers who were sent into endless reboot loops, crashes, and lock-ups of various sorts. But for most people, most of the time, the CUs installed and worked.

What happens if/when we get a real stinker of a patch? What if, say, the fix for MS15-095 suddenly starts crashing enormous swathes of machines? Will Microsoft re-release the Cumulative Update for everybody, again and again, until it gets it right?

If my production machine is any indication, that seems to be exactly what happened with KB 3087040. In this one instance, it took Microsoft six tries over the course of three weeks to get it right. Take a look at your machines and see what you find.

Fortunately, KB 3087040 was a stand-alone patch, and Microsoft could re-release it with impunity. What happens if we hit an analogous situation with Cumulative Updates? Will we see a slightly tweaked Cumulative Update rolled out six times in three weeks?

Windows has had cumulative updates for years, even decades. They’ve typically focused on one particular technology: USB devices, for example, or time zones or Visual Basic. They’re invariably a roll-up of tested and proven patches, made available in one update for convenience. That’s not what we’re dealing with here. The Windows 10 Cumulative Updates are largely undocumented blobs of mixed patches delivered without warning.

The one disastrous cumulative update I can recall was Windows 8.1 Update 1. Yes, it was a Cumulative Update -- one that wasn't well received. Microsoft spent months forcing that update down the Windows user base’s collective throats, finally pulling back on its draconian deadline in the face of waves of customers who couldn’t match Microsoft’s pie-in-the-sky pace.

Cumulative updates work great as long as the patches themselves work reasonably well. If one of them breaks, there’s no telling what will happen. The situation is made substantially more difficult if we don’t know what’s in the specific update.

Perhaps you're ready to trust Microsoft's newfound patching prowess. Time will tell.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.