Microsoft last week backtracked from a 2016 decision to offer Windows 7 and Windows 8.1 users only cumulative updates, saying on Friday that starting next month it will again provide Internet Explorer (IE) security patches as a separate download.
The change was a tacit admission by Microsoft that IE has lost its place of primacy in the enterprise, a fact supported by a disastrous decline in third-party measurements of the browser’s user and usage shares over the past year.
“Customers have requested increased flexibility for deploying the Security Only updates for Windows independently of the fixes for Internet Explorer,” Nathan Mercer, a Microsoft senior product marketing manager, wrote in a post to a company blog Jan. 13.
In August 2016, Microsoft announced that starting in October, it would offer only cumulative security updates for Windows 7 and 8.1, ending the decades-old practice of letting customers choose which patches they apply. The new maintenance model for Windows 7 and 8.1 was a direct transplant from Windows 10, which has always relied on cumulative updates.
Under the revamped regime, Microsoft issues two different security-related updates each month for commercial customers: “Security Monthly Quality Update,” aka “Monthly Rollup,” which includes both security and non-security fixes; and “Security Only Quality Update,” a smaller-sized package that contains just security patches.
Patch experts voiced concern over the new practice, pointing out that businesses would no longer be able to refuse one security update while accepting others. That approach had been useful when reports surfaced of a flawed update that broke software or enterprise workflows, or crippled Windows computers.
But when Mercer explained why Microsoft would deliver IE security updates separately from the rest of Windows’ patches, he implied it had little if anything to do with a potentially-bad fix. Instead, he said the change stemmed from the size of the updates.
“The Internet Explorer updates constituted a significant percentage of the total Security Only update package size,” Mercer said. “Package size is one of the primary reasons some enterprise customers choose to leverage the Security Only update (to optimize for smaller download in limited bandwidth scenarios).”
“With this separation, the Security Only update package size will be significantly reduced,” Mercer continued [emphasis in original]. “But you will need to deploy and install the Internet Explorer update to remain secure for the latest supported version of the browser.” That last sentence was an important clue to the real reason businesses pushed Microsoft to separate IE from the Security Only update.
If companies were still using IE, there would be no reason to isolate its patches from the rest of the month’s: They would still need to update IE. Whether in one or two downloads, the size of everything would have been similar, with zero bandwidth savings. Only if enterprises aren’t running IE does separating its updates make sense.
And clearly a lot of enterprises have abandoned IE.
According to web analytics vendor Net Applications, in December IE was used by 23% of those running Windows, a decline from 51% just 12 months before.
But industry research firms typically peg enterprises as accounting for approximately 55% of all Windows PCs. That means, assuming every consumer with a Windows system runs something other than IE — highly unlikely — at least half of the commercial Windows machines worldwide rely on a browser other than Internet Explorer.
Microsoft will provide a separate IE update on Feb. 14, the next Patch Tuesday, for those enterprises that deploy patches with Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM) or a third-party patch management platform. Only firms that select the Security Only option will be able to eschew the IE package. Firms whose IT administrators choose the Monthly Rollup will continue to receive IE patches as part of the cumulative update.
Consumers or businesses that receive patches from the Windows Update service are automatically handed the Monthly Rollup, and so will not have a choice as to whether to download IE updates.