Windows Confidential: The service pack shuffle
How can you be certain you’re receiving all the right patches and updates with a new service pack? Rest assured—they’re in there.
Have you ever wondered what happens to your patches and updates when you upgrade to a service pack? Don’t worry—they’re all in there. Each Windows service pack incorporates all updates available at the time the service pack is released. But what about security patches released after the service pack?
Suppose you’ve deployed the original version of Windows 7 and you’ve been holding off on deploying Windows 7 SP1 until you’ve finished evaluating it against your company’s line-of-business applications. Meanwhile, Microsoft releases a patch to address security vulnerabilities in both the original version of Windows 7 and the first service pack. You deploy this patch to all of your computers. You later determine Windows 7 SP1 won’t adversely affect your company’s workflow. Will deploying the service pack to all of your systems accidentally reintroduce the security vulnerability?
Fortunately, the answer is “no.” Security patches released when multiple versions of Windows are being supported are distributed in a mechanism known as a “dual-mode update package.” You can read more about this distribution method in Knowledge Base article 328848.
Suppose both the original release of Windows 7 and Windows 7 SP1 are supported. A patch for Windows 7 will actually consist of two patches: one for the original version of Windows 7 and another for Windows 7 SP1. The patch appropriate to the currently installed version of Windows 7 is applied to the system. If the system is running the original version of Windows 7, though, there’s an additional step. The Windows 7 SP1 version of the patch is saved for a rainy day.
When you install Windows 7 SP1, the service pack installer checks for any saved Windows 7 SP1 patches. If there are any, it applies them as part of the upgrade. As a result, once you install a security patch, it’s always going to be there, even if you upgrade to the next service pack.
You might wonder why there isn’t a problem with upgrading to a hypothetical Windows 7 SP2. Because the original patch didn’t include a version for second service pack, the Windows 7 SP2 installer won’t find a saved patch to apply as part of the upgrade.
That’s OK, because all service packs incorporate all updates released at the time the service packs are made. Consequently, the problem the update package would need to fix is already fixed in Windows 7 SP2 by virtue of the fact that the second service pack came out after the update package. The dual-mode update package technique is only needed for patches that come out after a service pack.
There’s another type of update known as the rollup. This is an update that merely combines a bunch of other updates into a single package for convenience. You can think of it as a mini-service pack. At the opposite extreme, you can think of Windows 8 as a mega-service pack for Windows 7: Besides all the new features in Windows 8, it also includes all the updates from Windows 7.
This complexity highlights a common mistake when writing code that attempts to detect whether or not a particular update has been applied. Some people try to enumerate all installed updates, but this technique won’t find the update once the user has installed a rollup or upgraded to Windows 7 SP2 or Windows 8. As a result, the code believes the machine doesn’t have the update, even though it does. It’s just that the update no longer exists as an independent entity.
Even in the event that the system is running Windows 7 SP1 and hasn’t installed any rollup packages, a search for the update might generate a false positive. For example, consider an update that installs version 1.3 of a DLL. A rogue installer later overwrites the DLL with version 1.2. The update was installed, but also invalidated by what happened later.
The correct question to ask is therefore not, “What updates are installed?” but rather, “What updates need to be installed?” You can use the Windows Update Agent for that.
The Windows Update Agent is extensively documented on msdn.com. The sample script for Searching, Downloading and Installing Updates shows how to find all available updates that have not yet been applied. Then it downloads and installs them. If you’re interested in one particular update, you can use the technique demonstrated in the Searching, Downloading and Installing Specific Updates script.
The world of Windows servicing is actually much more complicated than the straight-line service pack sequence described here. There’s the service pack sequence, the Quick Fix Engineering (or QFE) sequence and the General Distribution Release (or GDR) sequence, each of which addresses a different release requirement. As a result, multimode packages can exist with many variations. There might be one to cover each of the release sequences, but that’s a story for another time.
Raymond Chen's *Web site, The Old New Thing, and identically titled book (Addison-Wesley, 2007) deal with Windows history, Win32 programming and negative anniversaries.
Thanks to Mark Phaedrus for his inadvertent technical assistance in writing this article.*