When Microsoft first started released updates to the Windows Installer engine – I was confused. It was early in the process, and there wasn’t as much documentation as I needed. SSU’s or Servicing Stack Updates
were a bit of a mystery. We talked about Patch Tuesday and Updates all of time – but SSU’s were an update to the update process.
Here is how the Microsoft documentation describes this “update to the update” process:
“Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the “component-based servicing stack” (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.”
This is description is not strictly accurate – now.
We are now seeing monthly updates to Windows Installer (see CVE-2022-30147
). And, for the years we have had separate updates to the Windows platform (aka Patch Tuesday
) and the CBS, SSU or service stack. For most releases, SSU updates are “always” rated as critical though they may not resolve critical vulnerabilities. Essentially the SSU updates the components that update your desktop and server. Unfortunately, we have many Patch Tuesday updates that require a SSU update before they can be successfully deployed. There SSU’s were a key technical and security dependency to other platform or application updates. Which caused deployment issues.
I mention SSU’s now, as they may be a thing of the past, with combined or “unified” updates from Microsoft. We have seen this for the past few months (since February). In fact, Windows 11 only offers the LCU/SSU unified option for its monthly update cycle.
Microsoft has published the following note on this combined update process:
“Beginning with the February 2021 LCU, we will now publish all future cumulative updates and SSUs for Windows 10, version 2004 and above together as one cumulative monthly update to the normal release category in WSUS.”
You can read more about this effort here
You may not want to combine both the SSU and the LCU, and so Microsoft has offered the following advice to split up the deployments of these update packages:
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package
command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages
Running Windows Update Standalone Installer
) with the /uninstall
switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
If you are interested in the difference between the LCU update and the SSU update for the past May Patch Tuesday release, you can find the file manifest for each update here: