A recent error by Microsoft caused Windows Server Update Services (WSUS) to install Windows Desktop Search on desktops that had not previously installed the feature. This and other "stealth" update incidents show that Microsoft is still struggling to distribute the large number of updates for its products in a uniform and consistent fashion. Organizations that rely on the free WSUS software distribution product to distribute software updates from Microsoft and expect only approved updates to be installed may need to adjust their expectations and policies.

WSUS Error

The problem appeared around Oct. 23, 2007, when many WSUS customers noticed performance problems with their PCs due to the increased processing load generated by the newly installed Windows Desktop Search. According to Microsoft, it made a mistake in revising a previous Windows Desktop Search update, Knowledge Base 917013, which it had first released in Feb. 2007. The original update only updated computers on which Desktop Search was already installed. However, an Oct. 2007 revision (105) of the package was sent out that installed Windows Desktop Search on computers where it was not already installed. Furthermore, by default, WSUS automatically installs revisions to previously approved updates, so in many organizations revision 105 went out to all computers without first getting administrator approval.

The problem is compounded by confusion about the terminology that Microsoft uses to describe updates. This makes it difficult for Microsoft and customers to properly distinguish between critical security updates, critical performance updates, and updates that are neither critical nor important but that contain new features distributed between releases. Other updates fix problems with previous updates. At a minimum, a better way to designate revisions to updates is necessary.

Revise Patch Distribution Process

This incident, combined with the revelation in Sept. 2007 that Windows Update updates itself without customer approval, suggests that organizations should review their software distribution policies. In particular, if an organization wants to use Microsoft tools for this purpose, the organization should consider tightening policies on their WSUS servers to require administrator approval of all updates, even revisions to earlier ones.

The Windows Update blog, which covers the design of Windows Update, is located at blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx.

The Windows Server Update Services blog, which explains the WDS revision update, expanded applicability rules, and auto-approve revisions, is located at blogs.technet.com/wsus/archive/2007/10/25/wds-revision-update-expanded-applicability-rules-auto-approve-revisions.aspx.

For background on Windows Update ignoring the customer's selection for processing updates, see "Stealth Windows Updates" on page 20 of the Nov. 2007 Update.