Microsoft won’t bundle IE patches with new cumulative updates for Windows 7 and 8.1

Windows Patch Tuesday
Microsoft will not include bug fixes for Internet Explorer (IE) in the new cumulative updates slated to upend Windows patching next month. According to answers given to questions posed by customers, IE patches will not be bundled with the über updates that debut Oct. 11. Instead, they will be delivered separately as individual updates, as they have been for decades.

“We are working to get IE included in the monthly rollup and security-only update but do not have a confirmed schedule yet,” said Nathan Mercer, a Microsoft senior product marketing manager, in one of several replies to queries about the changing patch practices. “But we plan to eventually include patches for which ever version of IE you currently have installed in the monthly rollup, similar to the .NET rollup.”

The terms monthly rollup and security-only update will be important for Windows users to recognize and understand come next month. That’s when an August-announced end to individual bug fixes and patches will take effect.

Each “monthly rollup” will include all updates, those related to security and those not, that Microsoft intends to release that month. The “security-only update” — released the same day — will include just the month’s patches for vulnerabilities in the operating system.

Customers who receive patches and bug fixes via Windows Update — the consumer-grade maintenance service — will automatically get the monthly rollup. They will not have a choice. Businesses deploying updates using Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) may pick between the monthly rollup and the security-only update.

The mondo updates will put a stop to the decades-old process that let customers pick and choose which Windows patches they applied. That flexibility was most useful — sometimes critical — when a single patch was found to break one or more applications, or more worrying, crash or cripple a PC. Customers could then decline that patch while still applying all others to protect their machines.

That selectivity will vanish next month, as Mercer repeatedly told users when they asked again and again for clarification on the announcement. “Individual patches will no longer be available after October 2016,” Mercer said.

The exception is Internet Explorer, whose patches and updates will not be wrapped up with others in the monthly rollup or security-only update. The move applies even though Microsoft has long treated IE as a part of Windows, not as an application that stands on its own.

Microsoft will continue to patch only Internet Explorer 11 (IE11) for Windows 7 and Windows 8.1; since January, that’s been the only version of the browser Microsoft has maintained.

It was unclear why Microsoft will not include IE updates in the monthly rollup or security-only update next month: Mercer did not provide a technical reason, as he did when users asked whether Windows Vista and Windows Server 2008 would also receive the take-them-or-leave-them updates. (They won’t, said Mercer, because “technically there are complications that will make any changes on those platforms more challenging.”)

Windows 10, which inaugurated the cumulative update model last year, bundles both IE11 and Edge patches in its packaged updates, so for that OS, at least, there are no technical barriers.

Microsoft will issue the first monthly rollup and security-only update for Windows 7 and Windows 8.1 on Tuesday, Oct. 11.

Via ComputerWorld