SUS Question

TheMSsForum.com: The Microsoft Software Forum

Does Microsoft remove old versions of critical updates from the patches
offered for syncrhonization to an SUS server, or do I need to be sure I
don't "approve" both the old and the new versions?

If I do approve both the old and the new version, how can I be sure that the
old version doesn't overwrite the new version, for example, if I had
installed the new version manually?

I am particularly thinking of Q824146 (MS03-039), the patch for blaster,
updated for welchia, and Q823980 (MS03-026) the patch for blaster without
additional welchia protection. If I approve the update "MS03-026: Security
Update for Windows 2000 (823980), 11/14/2003," and deploy it, how do I know
that I'm getting 824146, not 823980?

Do I need to be concerned about this, given that the update is later than
either 823980 or 824146?

Thanks for your repsonse. As you can see, this could be an important
question for anyone.
Top

Re: SUS Question by Torgeir

Torgeir
Wed Nov 26 19:47:38 CST 2003

Robert Hindla wrote:

> Does Microsoft remove old versions of critical updates from the patches
> offered for syncrhonization to an SUS server, or do I need to be sure I
> don't "approve" both the old and the new versions?
>
> If I do approve both the old and the new version, how can I be sure that the
> old version doesn't overwrite the new version, for example, if I had
> installed the new version manually?

Hi

(Fyi, there is a separate newsgroup for SUS, see further down)

The current version of SUS does not deal with superseded patches at all, it
installs everything you have approved "blindly" as long as OS version and SP
level matches.

Usually it doesn't matter if an older version is installed on top of another, at
least if it has been a reboot in between, because the updates will version
handle the files and not downgrade them. But note that the installers of the
"Cumulative Patch for Internet Explorer" MS03-015 and MS03-020 has a bug in it,
so it will downgrade the files installed by newer version of "Cumulative Patch
for Internet Explorer" (e.g. MS03-048). So, if you install MS03-020 on top of
MS03-048, you would need to reapply MS03-048.

If the situation is that you get several updates installed in one go, without a
reboot in between, things get a bit more complicated. Updates that uses
Update.exe (e.g. the OS updates uses this one) usually does not have a problem
with this (they have built-in qchain functionality), but for updates that uses
the IEXpress install engine (e.g. the IE cumulative updates), it can end up in a
mess.

So, yes, the conclusion is clear: You should absolutely un-approve superseded
updates (especially the IE ones).


From a previous post in the SUS newsgroup:

From: Don Cottam [MS] (donco@online.microsoft.com)
Subject: Re: Why does SUS want to install multiple cumulative IE6 sp1 patches
simultaneously
Newsgroups: microsoft.public.softwareupdatesvcs
Date: 2003-04-04 19:16:03 PST

<quote>
Typo doesn't change the nature of the question though. The current version
of SUS does not deal with superceded patches very well (actually at all) and
this is not currently covered in our FAQ or documentation. I think that the
best practice is to unapprove the superceded cumulative patches manually,
since in certain circumstances attempting to install multiple cumulative
patches at once can cause problems. Hopefully in the future we'll do a much
better job of dealing with supercedence.
</quote>


The SUS newsgroup:

microsoft.public.softwareupdatesvcs

news://msnews.microsoft.com/microsoft.public.softwareupdatesvcs

URL to the group softwareupdatesvcs for those who uses the Web
interface to access the newsgroups:
http://www.microsoft.com/windowsserver2003/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.softwareupdatesvcs

A Web site about SUS with a FAQ and a SUS forum:
http://www.susserver.com/

More SUS Web sites:
http://www.cites.uiuc.edu/sus/faq.html
http://www.faqshop.com/sus/default.htm



--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter


Top

Re: SUS Question by Torgeir

Torgeir
Wed Nov 26 21:43:29 CST 2003

Robert Hindla wrote:

> Does Microsoft remove old versions of critical updates from the patches
> offered for syncrhonization to an SUS server, or do I need to be sure I
> don't "approve" both the old and the new versions?
>
> If I do approve both the old and the new version, how can I be sure that the
> old version doesn't overwrite the new version, for example, if I had
> installed the new version manually?

Hi

[Reposting, 1st post was removed, maybe because of the name of the IE update, so
I miss-spell it now to see if it helps]

(Fyi, there is a separate newsgroup for SUS, see further down)

The current version of SUS does not deal with superseded patches at all, it
installs everything you have approved "blindly" as long as OS version and SP
level matches.

Usually it doesn't matter if an older version is installed on top of another, at

least if it has been a reboot in between, because the updates will version
handle the files and not downgrade them. But note that the installers of the
"C*mulative Patch for Internet Explorer" MS03-015 and MS03-020 has a bug in
it, so it will downgrade the files installed by newer version of "C*mulative
Patch for Internet Explorer" (e.g. MS03-048). So, if you install MS03-020 on
top of MS03-048, you would need to reapply MS03-048.

If the situation is that you get several updates installed in one go, without a
reboot in between, things get a bit more complicated. Updates that uses
Update.exe (e.g. the OS updates uses this one) usually does not have a problem
with this (they have built-in qchain functionality), but for updates that uses
the IEXpress install engine (e.g. the IE c*mulative updates), it can end up in a

mess.

So, yes, the conclusion is clear: You should absolutely un-approve superseded
updates (especially the IE ones).


From a previous post in the SUS newsgroup:

From: Don Cottam [MS] (donco@online.microsoft.com)
Subject: Re: Why does SUS want to install multiple c*mulative IE6 sp1 patches
simultaneously
Newsgroups: microsoft.public.softwareupdatesvcs
Date: 2003-04-04 19:16:03 PST

<quote>
Typo doesn't change the nature of the question though. The current version
of SUS does not deal with superceded patches very well (actually at all) and
this is not currently covered in our FAQ or documentation. I think that the
best practice is to unapprove the superceded c*mulative patches manually,
since in certain circumstances attempting to install multiple c*mulative
patches at once can cause problems. Hopefully in the future we'll do a much
better job of dealing with supercedence.
</quote>


The SUS newsgroup:

microsoft.public.softwareupdatesvcs

news://msnews.microsoft.com/microsoft.public.softwareupdatesvcs

URL to the group softwareupdatesvcs for those who uses the Web
interface to access the newsgroups:
http://www.microsoft.com/windowsserver2003/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.softwareupdatesvcs

A Web site about SUS with a FAQ and a SUS forum:
http://www.susserver.com/

More SUS Web sites:
http://www.cites.uiuc.edu/sus/faq.html
http://www.faqshop.com/sus/default.htm


--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter


Top