Changes to Windows Update supersedence

Martin Brinkmann
Dec 12, 2016

Microsoft revealed a couple of days ago on Technet that it plans to change the Windows Update supersedence on Windows 7 and 8.1, and Windows Server 2008 R2, 2012, and 2012 R2.

The company started to publish so-called rollup updates for the mentioned operating systems in October.

This was a major change for several reasons. For one, instead of having the luxury to install individual updates, all-or-nothing was the motto of the day.

This was problematic, as it changes how bugs are addressed. You could remove the problematic update previously to address the issue, if caused by an update. With the new update scheme, all you can do is uninstall the whole rollup with all patches, even those that are not causing any issues on the system.

Imagine having to remove all security patches of a month because one causes issues on your system. You may leave a computer system running Windows wide open to attacks.

But that was not the only issue; Microsoft decided to release a security only update rollup, and a rollup image containing security updates and other updates.

I called the terminology that Microsoft uses to describe these updates atrocious. The company calls "security only" updates "Security Only Quality Update", and the all-encompassing updates "Security Monthly Quality Rollup".

Windows users have three options when it comes to updates: 1) install only security rollups, 2) install security and non-security update rollups, or 3) block all updates.

The supersedence issue

The idea was, that if you only wanted security updates, that you had to install those rollup patches and be done with it.

Turns out, this did not work for customers using WSUs or Configuration Manager 2007.

While security only, and security and non-security rollup, updates installed fine in October, the following happened in November when the new batch of updates was released:

  1. The Security-only rollup update of October 2016 was superseeded by the security and non-security rollup update in November.

This meant, that customers could not install security-only rollup updates on their machines if they used WSUS or Configuration Manager 2007, at least not without workarounds.

This meant that the October 2016 Security only update, the October 2016 Security Monthly Quality Rollup update, and the November 2016 Security only update were all superseded by the November 2016 Security Monthly Quality Rollup update.

The Fix


The fix removes security-only update supersedence. This has a couple of advantages, including that it fixes the issue that company customers experienced in November 2016.

Companies may install security only updates at any time, and in any order. They may furthermore install security monthly quality rollup images in select months without affecting installed or future security updates.

Microsoft on fixing bugs in security-only updates

I asked back in October how Microsoft was going to address issues found in security updates. This was an important question for Windows users and administrators who install the security only updates only on machines.

Would Microsoft release updates for the security-only update to address the issue, or would it release the patch as part of the security monthly quality rollup?

Scott Breen shed some light on the question. According to him, Microsoft will decide the course of action on a case by case basis.

The company may release a revision for the security update to address the issue.

If a problem with the update itself is identified and not a known issue, a revision of the update might be released which resolves the problem. As I said, case-by-case.

While that is one option, Microsoft did something different for issues identified in security patch MS16-087. It addressed the issue in the November Security Quality Monthly Rollup, but not in the Security-Only Rollup for the month. (via Born City)

Changes to Windows Update supersedence
Article Name
Changes to Windows Update supersedence
Microsoft revealed a couple of days ago on Technet that it plans to change the Windows Update supersedence on Windows 7 and 8.1, and Windows Server 2008 R2, 2012, and 2012 R2.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. J-14 said on December 18, 2016 at 7:14 am

    I read this post and ALL the comments.

    Why are people still supporting microsoft?
    remember back when they had FTP for updates.
    When they killed that, all hell should have been raised.

    And oh yes, please stop lumping in windows 8 with win7/xp, eight is not in the same class. No way 8 is the beginning of an APP eco system. not to mention the removal of the START button, a bold middle finger raised by microsoft to all who maintained by hand a start menu for thousands of applications.

    Most dummies I Know reformat every month. It takes me 1 YEAR to build a workstation, I ain’t formatting it each month~! I CLONE it each month! But then idiots probably have a bad diet making their brains sick.

    the difference between XP and 7 is the audio MIXER has been gone through with a chainsaw by someone who likes to punish people (I think it’s the same people who program the HELL into “xset” in linux because they are stupid and refuse to build another POWER PLANT to run my always on boxes), and now code a bunch of different API ways or else the OLD AUDIO STUFF WAS BROKEN .. Also if you do multi-soundcards still get to dig through menus even with the wonderful third party VOLUME2!

    Get rid of the people doing CLIMATE change and build more Power plants and provide more electricity, find more water bring it and quit with the artificial droughts, the missing START button, the surprise (sic) upgrade to win8 from XP/7 production box, if people have stuff they make stuff, the reason things are sick is because the MONEY DONT FLOW except to the elite who don’t obey any laws.)

    boycott the rotten companies.

    you’ve been drafted. Into this fight against the globalist revolution you just don’t realize it yet.
    WW3 is on your HEALTH — watch what you put into your mouth!

    1. wow said on December 21, 2016 at 2:50 am

      …Wow. What a post.

      I’m trying to imagine the type of person that types this out, thinks “yep, looks good” and hits submit. Actually, we know: the type of person who takes a year to reformat a PC, thinks that the loss of FTP was worth raising hell, and can’t work past the lack of a start button.

      Yikes, dude. Good luck out there.

  2. Samantha Haas said on December 16, 2016 at 1:50 am

    what a mess the 13 Dec 2016 update created, my computers all lost net connectivity altogether. Nothing works even after rolling back to a prior restore point. DHDC, IPaddresses all is KAPUTT!!
    Spent three hours with MS Techs on phone, then get an email (on my phone) “your problem is resolved”,
    eh NO NO NO.
    Called Router folks no help, its working good. Called Internet provider all is good there.
    Now what, guess redo Win 10? Suck is a mild word to use.
    Microsoft is gotten too big for their Brittches.
    Thank God for Hotspots.

    1. A different Martin said on December 16, 2016 at 6:36 am

      As far as I can make out, if you’re a Microsoft “Insider,” you’re an unpaid alpha tester; if you’re a Current Branch user, you’re an unpaid beta tester, and if you’re a Current Branch for Business user, well, you might have a shot at getting stable, debugged updates and upgrades that might still break some of your apps. If I had to use Windows 10 — and I have no intention of doing so unless my upcoming switch to Linux turns out to be even more disastrous than Windows 10 seems to be — I would opt for Windows 10 Pro and defer updates for a minimum of one month. With Windows 10, Microsoft switched to a “rolling distro” model (except for Enterprise LTSB, which most users don’t qualify for), and at the same time they fired half of their quality-assurance staff. What were they thinking? They may have wanted to force their coders to “take more responsibility for their work,” but it’s users who are paying the price.

  3. PJ in FL said on December 15, 2016 at 4:24 am

    My biggest problem with leaving Windows is leaving Excel. Neither LibraOffice nor Star Office spreadsheet programs offer the automation capabilities, and I’ve spent way too many hours learning VBA and the object model to toss it out, not to mention all the Excel programs that I’ve built that would no longer work. I don’t see anyone at MS buying into the idea that a Linux port of Office would increase profits…

    I’ll stay with Windows as long as I can still use 7 and 8.1 reasonably securely, but I still see the day when I rebuild a Linux box and start the (years long) transition.

    So sad…

    1. A different Martin said on December 15, 2016 at 6:34 am

      If you don’t use the very latest version of Office, Excel might run fine in Wine (free), optionally via PlayOnLinux (a free front-end for Wine), or Crossover ($). It looks like the version cut-off point for both platforms is Office 2013, for now.

      You could check out whether your Excel spreadsheets will run “in Linux” by creating a virtual machine with the Linux distro of your choice on your Windows machine and then installing Excel in the virtual machine, either using PlayOnLinux or following Office-specific installation instructions to the letter in Wine. (Hopefully, Microsoft will give you a grace period before you have to enter your license key for Office.) Then try loading and playing with copies of your most gnarly spreadsheets. If they work, that’s promising. If they don’t work, you could do a 14-day free trial of Crossover (a paid, professionally supported product reputed to be better than Wine) and try installing Excel in that.

      You can read accounts on the Web from Excel users who failed to get their VBAs to work in Linux and accounts from users who succeeded, but there’s no substitute for trying out your own spreadsheets/VBAs first-hand. And if neither Wine nor Crossover seems to work, there’s always the option of installing Windows on a virtual machine in Linux and running Office/Excel from within that. (VMware offers a utility that can purportedly convert a physical Windows install into a virtual machine, eliminating hours, even days, of set-up work. I’ve gotten used to VirtualBox, which unfortunately doesn’t offer a conversion utility.)

      1. A different Martin said on December 16, 2016 at 3:55 pm

        Here’s an article from a couple of days ago with tips for installing Office 2013 in Linux using PlayOnLinux:

        How to Install Microsoft Office 2013 in Linux – Make Tech Easier

  4. Tony said on December 13, 2016 at 8:23 am

    Microsoft is really going downhill fast. They just need to make it how it worked before: Download updates you want, and don’t download updates you don’t want.

  5. Darren said on December 12, 2016 at 8:48 pm

    They would prefer you just step in line like any other good windows 10 user. Hate where this company has gone.

  6. Corky said on December 12, 2016 at 4:44 pm

    What an utter mess Windows has become.

  7. kalmly said on December 12, 2016 at 4:22 pm

    I’m just a computer user. I come here every day to read what you geeks have to say, hoping I will learn something in the process. Thanks for all your conversations. I have learned many things, and to my benefit, I’ve taken a lot of your very good advice. But now, Microsoft is making me crazy. I don’t understand the best course to take to keep my computer safe, so I’ve blocked all updates — not that I could download any when they weren’t blocked — and do NOT know where to go from here.

    Windows 10 has gone from bad enough to a horror show. I wonder what will happen when 10 is 10 years old. Since it is the last “Windows”, will the accumulated updates take a week to download? Well, never mind. I won’t be using Windows 10 ever. I mourn the loss of the best ever OS, but I can’t stay with MS once my Win7 (and my XP) dies. Linux seems a poor substitute but I’ll be left no choice.

    1. A different Martin said on December 13, 2016 at 11:33 pm

      As far as I can make out, Windows 10 “Current Branch” editions (definitely Home, definitely Pro, and I believe a subset of Enterprise) are now intended to be what in Linux are called “rolling distros” — operating systems that are not just continually updated but continually upgraded. With a rolling distro model, you theoretically never have to install a new version of the OS from scratch. Instead, it keeps morphing step by step from older to newer, adding, changing, and removing features and code along the way. I believe I read that Windows Pro licensees can defer the Current Branch’s mandatory, inescapable updates and upgrades for up to four months (called the “Current Branch for Business”), but after that, it’s BOHICA time. And Home licensees can now defer installing them until, what? The end of the business day?

      The problem with the rolling distro model is that adding, changing, and removing features and code can break applications that depend on those features and that code, and with a rolling distro, the schedule on which this happens is short and unpredictable. Application developers need to continually test their applications on OS update/upgrade release candidates, and the smaller the developer and smaller the app’s market, the less likely this is to happen, consistently or at all. Some will just wait until their app breaks, and if you’re lucky, fix the breakage reasonably quickly. It’s a particularly big problem for custom applications. And that’s where the Windows 10 Enterprise Long-Term Servicing Branch (LTSB) comes in.

      Basically, Windows 10 Enterprise LTSB uses Windows’ old, static, “point-release” model. It comes with a support lifecycle of 10 years. During that time, it receives no feature changes, only security and quality updates, and administrators can pick and choose which ones to apply. Microsoft will issue a new major release with new features every three years or so — kind of like with 2000, XP, Vista, 7, and 8/8.1 — which LTSB licensees don’t have to upgrade to if they don’t want to — kind of like with 2000, XP, Vista, 7, and 8.1. It’s the good old days, offering a stable, compatible, controllable, predictable base to work on. And to the best of my knowledge, you can’t have it.

      Based on what I’ve read, you have to buy a Windows 10 Enterprise license to qualify for LTSB, and that means buying Windows for a minimum of 500 seats. I have no idea what a one-time Windows 10 Enterprise license purchase might cost, but last I read, Microsoft was proposing a subscription model at $7 per month per seat, or a minimum of $42,000 per year.

      For what it’s worth, Linux offers bleeding-edge/leading-edge rolling distros (which are akin to Windows 10 Current Branch but without the forced updates/upgrades), more conservative rolling distros (which are akin to Windows 10 Current Branch for Business but without the forced-albeit-deferred updates/upgrades), and static, point-release distros (which are akin to Windows 10 LTSB). Canonical’s Long-Term Support releases (Ubuntu LTS, Kubuntu LTS, etc.) are guaranteed update support for five years; I believe other major distros’ LTS releases have shorter support periods, usually two or three years, but I could be wrong here. So, Windows LTSB is the winner in terms of support lifecycle. But in Linux you can choose what updates to install and whether to upgrade in all editions, and the OS and most of the apps are free. (Well, they rely on donations, which you can afford with that $42,000 a year you’re saving. ;-) And even if all the fear, uncertainty, and doubt you ever associated with Linux were true, could it really be worse than the recurring Windows 10 snafus we continually read about? Like today’s “broken DHCP” problem?

      I’ve been running Linux Mint 18 and Chapeau Linux in VirtualBox for a little while now. I’m pretty much a Linux noob and I’ve been able to handle the handful of little snags I’ve run into — and most of them were actually due to the fact that I was working in a virtual environment. (For example, after you’ve entered which Windows folders you want to share with the virtual machine in VirtualBox, you also have to join the vboxsf group in Linux for the shared folders to become accessible.) I’ve imported some of my more unusual fonts from Windows. I’ve installed IrfanView (a Windows program) in Wine, just to see if it works. (It does.) I’ve installed Pale Moon for Linux, imported my Pale Moon profile from Windows, and set up Session Manager to use my sessions folder in Windows. It’s now my default browser in both Mint and Chapeau, and it seems to be working fine. I’ve imported my LibreOffice profile from Windows, and LibreOffice seems to be working fine, too.

      At any rate, based on my experience with Linux so far, given a choice between Linux and Windows 10 Current Branch or Current Branch for Business, there’s no contest. I’m not a gamer (although Chapeau is supposed to offer very good gaming support, at least for Linux). I value my privacy. I value stability. I like being in control of my system and how it works. And I don’t want to deal with an unreliable, untrustworthy OS supplier that I constantly have to scrutinize for erratic or underhanded behavior. When I switch, I’ll miss Macrium Reflect and its ability to clone my system drive in background while I continue to work in foreground. (I’ll miss it badly, likely for hours at a time.) I’ll probably have to update my Garmin GPS on a relative’s Windows computer. And I have an iPod that I loaded up once and haven’t managed since. If I ever wanted to, I’d probably have to do that on someone else’s Windows computer as well. But apart from that, I’m just not experiencing or anticipating the awfulness and inadequacy you used to hear so often from the “Linux isn’t ready for the desktop” crowd. I do anticipate a sense of no longer being abused.

      By the way, I’m happy to be corrected regarding Windows 10’s various editions and updating models. The details seem to change from month to month.

    2. Tom Hawack said on December 12, 2016 at 4:37 pm

      Here in France we remember a singer called Serge Gainsbourg who once told to his last conquest “You’re not the first girl in my life but you may very well be the last”. He knew he was ill and wouldn’t make it to be a centenarian, though that young lady may have interpreted it differently, then. In the same way, Windows 10 might be Microsoft’s last OS but not for the reasons we immediately think of.

      Concerning your puzzle, kalmly, it’s up to each of us to consider what it means to stop updating Windows 7/8.1 and I certainly wouldn’t advocate such a choice. If the user is OK with his system, if he has disabled Internet Explorer, if his security environment and state of mind are accurate and solid… then the OS (Win7/8.1) will survive, or even live better and at least will free the user’s mind from a monthly headache. That’s how I see it.

      Oh! we’re not all geeks here, I’m not anyway. We do have some who are really techy, experts even sometimes, and others which spread from the lower-lower classes to the middle ones, so to say. Life!

      1. seeprime said on December 12, 2016 at 11:38 pm

        Microsoft has only stated that Windows 10 will be the last version of Windows. They never stated that they would not rename, or replace it.

  8. Tom Hawack said on December 12, 2016 at 3:42 pm

    Remember the Addams Family TV Show? That’s the idea nowadays with the Microsoft Company…

    They’re creepy and they’re kooky,
    Mysterious and spooky,
    They’re altogether ooky,
    The M-S Company.
    Their house is a museum.
    When people come to see ’em
    They really are a screa-um.
    The M-S Company.

    A chaos. What the company is getting to is in fact re-building what their atrocious, insane new Windows Update has broken down. This is genuine idiocy. Enough for me to have abandoned all Windows Updates since October, except for .Net Framework. Good luck for those who continue to follow this mad ceremony.

  9. Microjunk said on December 12, 2016 at 2:39 pm

    Despite all of the glorious words and super dupa fixes I am still not able to update my Windows 7. Update runs for hours and nothing happens.

    There are so many negative terms I would like to apply to Microsoft but what does it help ? Well, why not, I will spit out some anyways. In my opinion they are nothing else than a typical company which is using pompous words for covering up their true objective which is to abuse their customers in as many ways as possible.

    MS in my opinion is simply not willing to fix the update mess they “accidentally” have created. You would be a fool to believe they can’t do it if they really wanted. Terrible company, therrible business practice, terrible people behind it. In the end they have ruined a good product with their greed and their nearsightedness. Get an app to switch back on your brains, you morons.

    1. d3x said on December 12, 2016 at 5:33 pm

      Here’s what I’m doing on my client’s computers if their scan takes hours and doesn’t finish, I’ve done this a few times and it always worked:
      1. run “services.msc”, stop Windows Update and set it do disabled so it doesn’t accidentally start, leave services window open
      2. go to C:\Windows\SoftwareDistribution and remove everything in there
      3. download
      4. in services, set Windows Update to “automatic (delayed)” and start it
      5. install KB3138612
      6. restart
      7. go to Windows Update settings and change it to automatic, it should start scanning

      hopefully it will finish in 10-20 minutes

      1. Microjunk said on December 12, 2016 at 7:33 pm

        To Yuliya and d3x: Thank you very much for your suggestions. I will fiddle with it on the weekend when I have a little more time and peace.

        I am greatful for all the advice I could pull out from this website. It is just a shame that helpful people outside of Microsoft have to deliver the fixes for the mistakes MS creates. This company and its moronic decision makers should be more than ashamed about the situation they have created. Anyways, thanks to everybody here who steps in and helps to solve MS problems. It’s highly appreciated.

    2. Yuliya said on December 12, 2016 at 2:58 pm

      What worked for me is installing these four updates manually after you Install 7SP1:

      [1] Installing and searching for updates is slow and high CPU usage occurs in Windows 7 and Windows Server 2008 R2

      [2] How to update the Windows Update Agent to the latest version

      [3] April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2

      [4] July 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1

      In this order and restart after each update.
      Updates to avoid: KB2952664 KB3021917 KB3068708 KB3080149 KB3184143 KB971033
      That being up to september 2016. I have no experience with those new rollouts.

  10. franz said on December 12, 2016 at 2:17 pm

    well, we wouldn’t need patches if those lousy ms-programmers hadn’t put in these bugs in at first. ;-)

  11. manicmac said on December 12, 2016 at 1:36 pm

    Looks in my crystal ball and sees many more un-patched windows systems, way to go microshaft!!!

  12. Yuliya said on December 12, 2016 at 12:23 pm

    Damn if I understand what Microsoft wants to do.. Assuming I want to bring my PC, last updates installed in september, up to date security-wise, I’d have to install all the rollups – the october one, then november, and the upcoming from december? That kind of defeats the purpose of what they’re trying to do now.. I thought they want to integrate all updates into a single one so when you Install WIndows you just get one big update and call it a day.
    Not only that but they’re huge is size, I used to get like 15-20MB worth of updates per month. Now one of those rollups is 80MB. What’s in there??

    1. Martin Brinkmann said on December 12, 2016 at 12:33 pm

      You can install the security quality monthly rollup for that, as it includes previous updates (but security and non-security ones).

      For security, you need to install the rollup updates individually for each month.

      1. A different Martin said on December 16, 2016 at 5:15 pm

        @ Yuliya:

        A couple of days ago, I downloaded and installed WSUS Offline Update for the first time on my Win 7 Pro SP1 x64 system. It threw an error both times I tried to run it. (I think the signature of a file it wanted to download failed to check out.) I’d be curious to know whether it’s working for anyone else.

        Even in Internet Explorer 11, the Windows Update Catalog was … kind of hinky. I eventually got it to display a list of Security updates for Windows 7, but I’m going to be holding off on December’s security-only updates until more intrepid users have vetted them. I don’t have to worry about October’s and November’s security-only updates because Windows Update ignored my settings — “download but let me decide whether to install” in October and “notify me but let me decide whether to download and install” in November — and went ahead and installed the “everything” rollups for those months. Maybe Microsoft accidentally changed the meaning of the red-and-white X button in Windows Update from Close/Exit to Install, like they did with one of their “Get Windows 10” pop-ups. Needless to say, I’ve set Windows Update to “don’t check for updates,” and after doing a manual check for updates I manually uncheck any updates I don’t want to be “accidentally” installed before I close the Windows Update window.

        So yeah, it seems like Microsoft is doing everything it can to foist telemetry updates on reluctant users, same as they did everything they could to foist Windows 10 on reluctant upgraders.

      2. Yuliya said on December 12, 2016 at 1:01 pm

        That’s an unnecessarily confusing way of doing things. They really want me to install the telemetry updates. Which is not going to happen. I guess I could get away with WSUS offline.. maybe, I haven’t tried it since the cumulative updates became a thing for 7/8 to see how it deals with them.

  13. d3x said on December 12, 2016 at 11:00 am

    I don’t really get it. Does this mean that now every security-only update would basically become standalone update, not a rollup one? If I accept every monthly security-only update on WSUS on out server machine, and let’s say a year later I do fresh install of Windows on a client machine, it would have to download 15 separate security-only updates?

    1. Martin Brinkmann said on December 12, 2016 at 12:05 pm

      I assumed that this was always the case, at least that is how I remember Microsoft talking about it. Security rollup updates only include the updates of the given month but no updates of previous months.

      1. d3x said on December 12, 2016 at 5:22 pm

        Yikes, I’ve read a few times on those new update changes to 7/8.1 and it never occurred to me that security-only updates are not cumulative. English in not my native language, but I’m fluent enough that I should “see” this. I better check wsus as I manually approve updates in my company.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.