Understanding Microsoft Patches Types

An inside look at types of Microsoft security

How do I know when I need to reapply a security roll-up patch (SRP)? For example, applying IE6 SRP1, do I then need to reapply Win2K Service Pack 2? When applying hotfixes, do I need to reinstall them after more recent SPs?Microsoft provides system updates in several ways, which is both a good and bad thing. Before explaining what I mean, let me first outline the differences between the various terms Microsoft uses for updates.

  • QFE patch. “QFE” stands for “quick-fix engineering.” This is the group of developers within Microsoft whose job it is to fix a specific problem. These aren’t enhancements to an application, but necessary fixes because an app doesn’t work properly. “Down and dirty” is the best way describe QFE patches, since they don’t go through elaborate regression testing.
  • Hotfixes usually start as QFE patches, but they undergo more testing and are packaged with an installer. Hotfixes can be applied by anyone who has the affected software; however, not everyone need apply every hotfix. Each hotfix is published together with a Knowledge Base article that describes the circumstances and requirements for a hotfix.Like QFE patches, hotfixes are not fully regression tested — or, for that matter, fully supported by Microsoft. If you install the patch and it causes a problem, your only solution may be to remove it.
  • Microsoft considers Security Update/Security Bulletin patches to be more important than hotfixes. They are fully regression tested, and unlike QFE patches or hotfixes, they are fully supported on the platforms to which they’re targeted. Today, Microsoft provides an assessment of the risks associated with each patch to help you determine how quickly you should get it applied.
  • cumulative patch is a group of hotfixes that pertain to a specific platform or product that may or may not be security related. A cumulative patch is intended to be applied to a specific product at a specific service pack level (see #6). The cumulative patch then incorporates all hotfixes made since the previous service pack. Cumulative patches are regression tested, but they’re typically not extensively tested outside of Microsoft. Depending on what hotfixes have been released, Microsoft distributes cumulative patches about every six weeks.
  • security roll-up patch (SRP) incorporates all of the Security Update/Bulletin patches released for a given platform or product over a period of time. Like a cumulative patch, SRPs target systems at a specific level. The SRP incorporates most security-related patches up to a point in time.With SRPs, it’s important to note a few things:
    • SRPs are beta-tested by Microsoft customers. As such, there is a cutoff date for incorporating new patches into the SRP. So it’s possible that on the day the SRP is released, additional Security Update/Bulletin patches already exist.
    • SRPs don’t include nonsecurity patches. You may have to apply additional hotfixes or cumulative patches. The installation order isn’t a factor; Microsoft assures us it won’t overwrite newer files with older ones.
    • Not all Security Update/Bulletins include patches. Some require you to manually modify your system — say, to alter permissions or delete a file. So although the SRP includes all patches to a given date, you may still have to read through and act upon the Security Bulletins listed as not being included in the SRP.
    • service pack is the ultimate delivery vehicle for all patches. Like SRPs, service packshave a fixed cutoff date, which may mean you have to apply a Security Update/Bulletin patch after installing a new service pack. Service packs receive the most extensive testing of all patches, often undergoing months of beta testing. Unfortunately, the longer the testing on a particular SP, the more patches that won’t be included in it.

So, with all this in mind, on to the question…

With Windows 2000 and XP, it’s no longer necessary to reapply, say, an OS service pack after applying an IE service pack. Microsoft is still sorting out the problems of figuring out what patches you need. In the meantime, use Microsoft’s free tool, HfNetChk, to determine the best patches to apply to a given system.

As a rule of thumb, apply OS patches first. Then, for applications, do the following in order:

  1. Apply the latest service packs.
  2. Apply the latest SRPs in any order.
  3. Apply the latest cumulative patches.
  4. Review Security Update/Bulletin patches that apply after the above.
  5. Avoid hotfixes and QFE patches unless Microsoft recommends them to you.