Suggestions for resolving installation errors for .NET Framework security update MS09-061

I have heard from several people over the past week or so who have had problems getting the recently released .NET Framework security update (MS09-061) to install correctly on their system when it is offered to them by Windows Update or Microsoft Update.  This blog post will describe what this type of failure typically looks like and will offer some steps you can use to try to resolve this type of error.

For reference, this .NET Framework security update is listed on the Windows Update download page with several different possible knowledge base numbers, depending on what version of the .NET Framework the update applies to and what operating system you are running.  Here is a list of knowledge base article numbers for this security update:

  • For the .NET Framework 2.0 on operating systems before Windows Vista - KB953300 and KB974417
  • For the .NET Framework 2.0 on Windows Vista and Windows Server 2008 - KB974468, KB974292, KB974467, KB974291, KB974469 and KB974470
  • For the .NET Framework 1.1 - KB953297
  • For the .NET Framework 1.0 - KB953295

Description of the issue

If this .NET Framework security update or any other update fails to install when running it from the Windows Update site, you will normally see Windows Update report back a generic error code of 0x643 or 1603.  This is a catch-all error code that means that setup failed, but it doesn’t provide any more detailed information about why it failed or how to fix the failure.

In most cases, when a .NET Framework update fails to install with a 0x643 or 1603 error code, it means that there is something wrong with the version of the .NET Framework that is installed on the system that the update is supposed to be fixing.  There are a few different ways to go about resolving this error and getting the update to install successfully.

How to solve the issue by uninstalling and re-installing the .NET Framework

The simplest way to solve this type of issue is to use the steps listed at to remove all versions of the .NET Framework from your system, then re-install them in the following order:

  1. .NET Framework 3.5 SP1 (this version of the .NET Framework will also install the .NET Framework 2.0 SP2 and the .NET Framework 3.0 SP2 for you behind the scenes, so you don’t need to re-install 2.0 or 3.0 using separate steps)
  2. .NET Framework 1.1
  3. .NET Framework 1.1 SP1

After this, you should be able to go back to the Windows Update site, scan for updates again and install the latest updates for the .NET Framework 1.1 and 2.0 from there.

Note – after removing all versions of the .NET Framework, you do not necessarily have to re-install the .NET Framework 1.0 or 1.1 if you do not have any applications that are using them.  Most .NET applications will automatically use the latest version of the .NET Framework that is installed on your system, and those that do not will give an error message indicating that you need to install a different version.  There is more information about this scenario in this blog post if you are interested in reading further.

How to solve the issue by finding more information about the root cause

The above steps involve uninstalling, re-downloading and re-installing all of the versions of the .NET Framework on your system, which can be a bit time consuming.  Instead, if you prefer, you can try to narrow down the root cause of the .NET Framework security update installation error further and try to solve this issue without performing all of the .NET Framework uninstalls and re-installs listed above.

There are a couple of things I usually do to try to narrow down the root cause of this type of .NET Framework security update installation failure further:

  1. Try to download and install the update yourself instead of letting Windows Update install it for you.

    Windows Update always runs the installers for updates in silent mode, which can hide some useful error messages if the updates fail.  You can find the links to download this .NET Framework security update by going to the page for the security bulletin, scrolling down to the Affected Software table, and locating the link in the Component column of the table that corresponds to the version of the .NET Framework you need to update and the operating system you are running.

  2. Look at the setup log files created by the security update.

    This .NET Framework security update should create log files in a sub-directory under your %temp% directory.  The sub-directory will have the knowledge base article number in the name.  For example, the .NET Framework 1.1 security update (KB953297) will create logs in a folder named %temp%\NDP1.1sp1-KB953297-X86.