WSUS: So why do updates offered on Windows Update differ from those WSUS reports as needed?

Joe Tindale, one of our top gun WSUS Support Escalation Engineers, recently wrote up a good explanation on why the updates offered by Windows Update or Microsoft Update may differ from the number reported by WSUS as being 'Needed'.  If you've ever seen this and wondered why then take a look below:


Issue: You may see a difference in between the number of updates offered via Microsoft Update and the updates reported by WSUS as needed. 

Example: We took a machine and scanned that machine against Microsoft Update (MU) and then created a report within WSUS to list all the "needed" updates. WSUS reported 31 updates as "needed" but MU offered less. Here are some examples of where they differed:

907417 <------ this shows up because it was a duplicate on the server - two different versions of the same update.  MU offers 1
890830 <------ this update is superseded by a later version (MU only offers the latest)
890830 <------ this update is superseded by a later version (MU only offers the latest)
890830 <------ this update is superseded by a later version (MU only offers the latest)

So to summarize, WSUS is going to label all updates within a supersedence chain (ie, MSRTv1, MSRTv2, MSRTv3) as needed whereas MU will only offer the latest update within that chain (ie MSRT v3). Also, when scanning against MU, if you use the
"express" scan you will only be offered "high-priority updates" whereas if you use the "custom" scan you can view both "high-priority updates" and "optional updates.

WSUS reports on updates within both of the MU categories. High-priority updates will be security fixes and critical bug fixes while optional updates are going to be tools, drivers, add-ins and other non-security/critical fixes. Another variable could be the fact that a WSUS server may have duplicate updates. In the above example, we had two KB907417 updates on the server. Even though they have the same KB article number they had different update ID's so they are treated as two totally different updates. You can get in this state by syncing from various servers such as syncing with MU and then an upstream server, etc.

To verify in your environment, perform a "custom" scan against MU and copy and paste the updates offered (high-priority and optional) and then create a report for this client with all the updates labeled as "needed". Use the export option within that report to export the report to Excel. Now you can research the differences and add any notes to the Excel spreadsheet as to why these differences exist. 

The bottom line is  while you may see a different number of updates depending on how you scan, each is technically correct in their own way and each should ensure you get the updates you need.


Thanks Joe!

J.C. Hornbeck | Manageability Knowledge Engineer