Beware of Windows Server and System Center Update Rollups

Tomorrow is the first Patch Tuesday of the quarter, and going on history, this is when we tend to see Update Rollups for Windows Server and/or System Center be released via Windows Update.  While this type of release confuses people (normally QFEs/hotfixes must be manually downloaded and security fixes/service packs come via Windows Update – yes I know update rollup is a Windows Update category) this is not what I want to discuss.

I don’t know for certain that there will be any update rollups this month. But if I was a betting man, if there will be any, then I’d put money down on there being issues with any hypothetical update rollup.  History has taught us that update rollups are dangerous.  Cause in point, July:

  • Window Server 2012: One of the most common clustered Hyper-V host networking configurations was broken by a contained fix: Live Migration caused a bugcheck.  You can imagine how painful that was to fix.
  • System Center Data Protection Manager 2012 SP1: Agents could not be updated.
  • System Center Data Protection Operations Manager 2012 SP1: An incompatibility with KB2775511 (Windows 7 and W2008 R2) caused agents to fail their heartbeat and grey out.
  • Exchange: Ask any Exchange MVP what the history of URs has been like for that product.

My advice: let the uninformed out there test any update rollup for you.  Do not automatically approve update rollups.  Do not push them out.  Go reconfigure your auto-approval rules now.  Watch the TechNet forums, Twitter feeds, and the usual blogs.  And then after a month, you can deploy the release if it’s clean … or wait for V2 or V3 of the update with the required fix.

If you’re using System Center Configuration Manager, then configure your auto-approval rules to delay deployment for 30-45 days.  That gives you automation and caution.


An update rollup actually was released for Windows 8, Windows Server 2012, and Windows RT.  Another one was released for Windows Server 2012 Essentials.  My advice stands: let some other mug test it for you, wait, and watch.  Give it a month, and then deploy if all is well.