Windows 7’s security rollups, the most comprehensive of the fixes it pushes out each Patch Tuesday, have almost doubled in size since Microsoft revamped the veteran operating system’s update regimen last year.
According to Microsoft’s own data, what it calls the “Security Quality Monthly Rollup” ( rollup from here on) grew by more than 70% within the first dozen issued updates. From its October 2016 inception, the x86 version of the update increased from 72MB to 124.4MB, a 73% jump. Meanwhile, the always-larger 64-bit version went from an initial 119.4MB to 203.2MB 12 updates later, representing a 70% increase.
The swelling security updates were not, in themselves, a surprise. Last year, when Microsoft announced huge changes to how it serviced Windows 7 , it admitted that rollups would put on pounds as the months pass. “The Rollups will start out small, but we expect that these will grow over time,’ Nathan Mercer, a Microsoft product marketing manager, said at the time . Mercer’s explanation: “A Monthly Rollup in October will include all updates for October, while November will include October and November updates, and so on.”
Two months later, when he was asked about the growth issue, Mercer again conceded that the rollups could get big. “Eventually Monthly Rollup will grow to around the 500MB size,” Mercer said in mid-October 2016.
It looks like Mercer’s forecast might have been on the light side.
At the 12-update pace that Windows 7’s rollups have established, the 64-bit version will weigh in at approximately 350MB by October 2018, and a year after that, as Windows 7 nears its expiration date, almost 600MB. The latter would represent a 20% boost above and beyond Mercer’s target size. Likewise, the x86 edition would increase to 216MB and 374MB in 2018 and 2019, respectively, if the 12-update growth rate continues.
“The size of these is definitely a concern,” said Chris Goettl, product manager with client security and management vendor Ivanti. “When the rollups grow to 300MB to 500MB, some companies don’t have the downtime [to download and install updates that large], especially those with a global reach or to remote areas across slow connections.”
Imagine a 500MB update hitting the systems in a retail shop, Goettl said. “That would be a pretty significant use of the available bandwidth when the store [and its devices] are running 24/7.”
Enterprises get to pick the update poison
Microsoft issues two kinds of security updates for Windows 7 on the second Tuesday of each month: a rollup and what the company has dubbed “Security Only Quality Update” ( security-only from here). The latter includes the month’s security-related patches and nothing else.
Because they contain only that month’s patches, they’re much smaller than the same month’s corresponding rollup. The 64-bit security-only for July was just 30MB and the 32-bit was an even smaller 19MB, compared to the same month’s rollups of 194MB and 119MB. The differences in December were even starker: 900KB and 1.4MB for the 32- and 64-bit security only updates, respectively, and 125.1MB and 204.7MB for the rollups.
The rollups are larger not only because they drag their past with them – each succeeding rollup includes that month’s patches as well as all previous patches back to October 2016 – but because they also include non-security bug fixes. Usually, though not always, issued later in each month, the non-security updates are bundled with the security patches, adding to the size of the rollup.
But only some Windows 7 machines are eligible for the smaller security-only updates: Those serviced by WSUS (Windows Server Update Services), or tools, whether third-party or Microsoft’s own System Center Configuration Manager (SCCM), that rely on WSUS for content. All other Windows 7 devices, including ones run by consumers and small companies, that connect via Windows Update or Windows Update for Business, are handed rollups. They do not get a choice.
On average, the security-only updates issued for Windows 7 in 2017 were one-sixth the size of the same month’s rollup. Only 1 of the 11 64-bit security-only updates was larger than 40MB, for example, and only 2 of the 32-bit versions broke the 20MB mark.
According to Goettl, the security-only updates have been about the same size they would have been if composed of a similar number of separate patches, like those Microsoft distributed before making the radical move to dump decades of practice last fall.
But size was not the only reason, or perhaps even the main reason, why security-only updates were a blessing for enterprises. “Security-only provides some flexibility,” Goettl said, talking about the ability to postpone an update.
Because the rollups are cumulative – in that they include all past patches, as well as the latest – it’s not possible to deploy them without installing every fix since at least October 2016. If a patch breaks something, say a business-critical application or workflow, all rollups subsequent to that must be put on hold.
But by adopting the security-only updates, an IT staff can at least roll out, for instance, December’s version even if it has had to hold off on November’s because of a rogue patch. That practice is similar to, although on a more macro level, the way individual patches were deployed or blocked, depending on whether they interfered with operations. (The latter was what Microsoft banned by moving last year to this all-inclusive approach, where all of a month’s patches are poured into one bucket and so are inseparable.)
Goettl saw security-only updates as a sop to enterprises, a bone Microsoft threw to its most important customers when it laid down the new laws in 2016. “One thing that softened the blow [of the cumulative update announcement] was that they offered the security-only bundle,” Goettl said. “In Windows 10, you don’t have that option.”
Like a lot of patch experts, Goettl has urged those eligible for security-only to stick with the smaller updates. “It really seems that a lot of the breakage problems come at the end of the month when the non-security fixes come out,” he added, talking of the patches that are included with the following month’s rollup. “Things break there. This month, for example, there were a lot of non-security fixes [in the rollup]. That’s why we recommend security-only for client PCs, especially [on systems with] sensitive software.”
Cutting updates down to size
Not every Windows 7 machine has to pay full price for the increasingly large rollups. Some get a discount.
Enterprises that deploy updates through WSUS can apply the optional “express installation files” feature, which limits the bandwidth consumed on the local network, in turn reducing update-related traffic within the perimeter.
That’s done by identifying those bytes that change between two versions of the same file, then generating an update containing just those differences. (This technique is typically called a “delta” update, and is used by most software developers to distribute updates.)
However, there’s a tradeoff, which Microsoft spells out in this support document : After enabling the feature, the size of the downloads from Microsoft’s servers to the local WSUS server(s) increases substantially. According to Microsoft, express installation files may treble the number of bits downloaded to the WSUS server(s).
“When you distribute updates by using this method, it requires an initial investment in bandwidth,” Microsoft stated. “Express installation files are larger than the updates they are meant to distribute. This is because the express installation file must contain all the possible variations of each file it is meant to update.
“However, this cost is mitigated by the reduced amount of bandwidth required to update client computers on the corporate network,” the document continued.
In an example Microsoft highlighted, a 100MB update resulted in 300MB downloaded to the WSUS server, but the actual amount transmitted over the local network to each client might be as little as 30MB when express installation files is turned on. With it off, the initial download to the WSUS server would be 100MB, the size of the update, but then that same 100MB would have to be delivered to client PC across the local network.
Other caveats apply to express installation files in Windows 7, but perhaps the most important is that it is not the same as the same-named feature within Windows 10.
While the express feature has arguably received more attention in Windows 10 – Microsoft has publicized the new operating system’s feature several times – it’s not identical to what’s in Windows 7.
For one thing, Windows 10’s express can distribute both updates and the twice-annual feature upgrades, which tip the scales at several gigabytes. More importantly, the differential update technology works with WSUS (as does Windows 7’s), and with Windows Update and Windows Update for Business.