As you are probably aware, Microsoft previously announced Windows servicing changes on down level operating systems aiming to have a more consistent and simplified servicing experience to down level operating systems. As part of this simplified servicing model, the 2nd Tuesday of each month will see the release a new Security Monthly Quality Rollup and a new Security Only Quality Update. As the Security Monthly Quality Rollup contains the same security fixes as the Security Only Quality Update, as well as all fixes from previous monthly rollups and Security Only Quality Updates, there is a supersedence relationship between these updates. This supersedence allows installers of the Security Monthly Quality Rollup to see that fixes in earlier Rollups and Security Only updates are included, and allows for machine disk space to be managed appropriately when updates are superseded. See More on Windows 7 and Windows 8.1 servicing changes for more information about the servicing changes and supersedence rules.
Cross-Month and Intra-Month Supersedence Relationships
In Configuration Manager 2007 (ConfigMgr 2007), superseded updates are automatically expired and can no longer be deployed using the built-in software updates management (SUM) feature. As noted above, there is a cross-month supersedence relationship as well as an intra-month supersedence relationship between Security Only Quality Updates and Security Monthly Quality Rollups. For example, the Security Monthly Quality Rollup released in November will supersede the Security Only Quality Update also released in November as well as the updates (Security Monthly Quality Rollup and Security Only Quality Update) released in October.
Operational Impact (Security Monthly Quality Rollup Deployments)
Configuration Manager 2007 customers have roughly a month (from the 2nd Tuesday of each month to the following 2nd Tuesday) to test and fully deploy a new Security Monthly Quality Rollup for a given month using the SUM feature. If this deployment does not complete before the next superseding rollup is released, there are two primary options to continue:
1. Choose to switch to testing and deploying the latest superseding Security Monthly Quality Rollup using the SUM feature.
OR
2. Choose to deploy the superseded Security Monthly Quality Rollup using an alternate deployment method (outside of SUM), such as general software distribution.
Operational Impact (Security Only Quality Update Deployments)
Given that new Security Only Quality Updates are superseded by the new Security Monthly Quality Rollup for the same month, they will be marked as expired and unavailable for deployment each month via the SUM feature. Customers that desire to install Security Only Quality Updates will need to do so using an alternate deployment method (outside of SUM), such as general software distribution.
Alternate Deployment Methods (Software Distribution)
Using the software distribution feature to deploy superseded updates, which you may have done previously in the past, will entail manually downloading the desired update content from the online Microsoft Update Catalog site. The update content will be .MSU based. Wusa.exe is the command line installer that can be used to install the updates. See Description of the Windows Update Standalone Installer in Windows for more information about using Wusa.exe.
Important Notes:
1. There will be update content packages per down level OS and per platform. Multiple packages and programs may be needed, as applicable.
2. You may need to create specific collections for targeting. It could be as simple as ‘All Windows 8.1 Computers’ or as complex as ‘All Windows 8.1 Computers that Require October’s Security-only Quality Update’.
3. You may need to test and define recurring advertisements designed to reinstall updates that are removed by end users.
4. Configuration Manager (current branch) and Configuration Manager 2012 have a Supersedence Rules feature that allows customers to define the expiration behavior for superseded updates. For example, instead of superseded updates being expired immediately, you can define that there is a three (3) month wait, allowing additional deployment time.
Microsoft System Center Configuration Manager 2007 System Center 2012 Configuration Manager ConfigMgr 2012 R2