question

LugieLuge-7830 avatar image
0 Votes"
LugieLuge-7830 asked LugieLuge-7830 commented

Do I only need the latest .NET Security Roll-Up following .NET framework installation?

Hi,

I’m currently in the process of upgrading some Win7 machines from .NET 4.5.2 to .NET 4.7.2 and I’m looking into what .NET security updates will be required following the installation.

The https://devblogs.microsoft.com/dotnet/net-framework-monthly-rollups-explained/ blog states

“ The Security and Quality Rollup will contain all of the past updates for .NET Framework 4.5.x and 4.6.x.”

and

“Security and Quality Rollups and Security-only Updates contain the same security fixes. If you install the Security and Quality Rollup for a given month, there is no need to install the Security only Update.”

The blog is a few years old so I’d like to confirm that these statements also apply to 4.7.2?

In which case, would I only need to install either the latest 4.7.2 rollup to be fully up-to-date as far as .NET security updates go? Similarly if I had to rollback the framework to 4.5.2 would I’d just need the latest 4.5.2 roll-up?

Currently we deploy packages containing multiple security only updates and roll ups but reading the blog has me thinking that the latest roll-up alone should be sufficient.

Thanks

Ps. Apologies if I used the wrong tag, I struggled to find obvious ones for this post.

dotnet-runtimewindows-7
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, the statements in https://devblogs.microsoft.com/dotnet/net-framework-monthly-rollups-explained/ are still true. If you install the Security and Quality Rollup for a given month, there is no need to install the Security Only Update.

After you upgrade to .NET Framework 4.7.2 then install the latest 4.7.2 rollup you will be fully up-to-date as far as security updates go. If you have to rollback to .NET Framework 4.5.2 then you would need to install the latest rollup for .NET Framework 4.5.2.

1 Vote 1 ·

Thanks very much, Tara.

0 Votes 0 ·
cooldadtx avatar image
1 Vote"
cooldadtx answered LugieLuge-7830 commented

The security updates contain all previous updates unless otherwise specified. You only need to install the latest one but it doesn't hurt to install the older ones either.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply, @cooldadtx . When you say “unless otherwise specified”, I’ve read the May ‘21 articles for 4.7.2/Win7 (KB5001848) & the parent (KB5001878) and it doesn’t mention any omissions. Is it safe to assume that omitted updates would be detailed in the rollup KB article?

I’ve also been looking at the Microsoft update catalog & what is slightly confusing is that the entry for the May ‘21 rollup (KB5001878) states that it replaces Oct ‘20 (KB4579977) & Jan ‘21 (KB4598500) but it does not mention the Feb ‘21 (KB4603002). Initially I wondered if that meant both Feb & May updates need to be installed which contradicts only needing the latest rollup. However, having read the articles, I’m now wondering if Feb is not listed there because the May rollup doesn’t include any additional security updates whereas it does when compared with the Oct & Jan updates (ie the May update will include the CVE-2021-24111 update that was first introduced in Feb). Is my understanding correct?

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered LugieLuge-7830 commented

Yes, we usually only need to install the latest update. The newer updates will include all contents of previous updates
However, 2021-02 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 for x64 (KB4600945) is not a general security update, this KB is a Security Vulnerability patch for specific situation, I agree with your idea, install both of Feb & May updates.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply, @TeemoTang-MSFT.

Do you mean that the May rollup doesn’t include the vulnerability update for CVE-2021-24111 that was in the Feb rollup?

If so, and it’s the case that the latest rollup usually, but not always, contains all previously released security updates required, how do you determine which, if any, additional updates need installing given it’s not detailed in KB article (based on the May article not stating that it doesn’t cover CVE-2021-24111 if that is the case).

0 Votes 0 ·

No, i didn't say May rollup doesn't include the vulnerability update for CVE-2021-24111, you know we can't know the specific content of a monthly rollup. I just suggest to install this KB separately to ensure your computer has vulnerability protection. Because I don't see KB4600945 appears in the list here: https://support.microsoft.com/en-us/topic/february-9-2021-kb4601347-monthly-rollup-c0ae9599-f93d-68ee-7542-0aa3564f3190

0 Votes 0 ·

Thanks for clarifying, @TeemoTang-MSFT.

When you say ‘we can't know the specific content of a monthly rollup’ it suggests to me that I cannot be absolutely sure that the latest .NET rollup includes all previous .NET security updates as the Microsoft blog I linked to states, do you agree?

If I cannot be sure that the latest rollup is all I require, how can I find out which updates the latest rollup doesn’t include? For example, if I need KB4600945 as well as the May rollup, how would I know this without asking here?

The link in your last post as it looks to be a Windows update rollup not a .NET rollup, is that correct? KB4600945 does appear in the Feb .NET rollup article:

https://support.microsoft.com/en-us/topic/security-and-quality-rollup-for-net-framework-3-5-1-4-5-2-4-6-4-6-1-4-6-2-4-7-4-7-1-4-7-2-4-8-for-windows-7-sp1-and-windows-server-2008-r2-sp1-kb4603002-30a6fdf1-50da-dffe-16a7-44ae9afcbd54

0 Votes 0 ·

Just giving my last post a bump :)

0 Votes 0 ·