Shortcuts: Microsoft SSU’s Explained

Greg Lambert provides some detail on the Microsoft SSU process and how Patch Tuesday and platform component updates have evolved.
When Microsoft first started released updates to the Windows Installer engine – I was confused. It was early in the process, and there wasn’t as much documentation as I needed. SSU’s or Servicing Stack Updates were a bit of a mystery. We talked about Patch Tuesday and Updates all of time – but SSU’s were an update to the update process.
Here is how the Microsoft documentation describes this “update to the update” process:
“Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the “component-based servicing stack” (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.”
This is description is not strictly accurate – now.
We are now seeing monthly updates to Windows Installer (see CVE-2022-30147). And, for the years we have had separate updates to the Windows platform (aka Patch Tuesday) and the CBS, SSU or service stack. For most releases, SSU updates are “always” rated as critical though they may not resolve critical vulnerabilities. Essentially the SSU updates the components that update your desktop and server. Unfortunately, we have many Patch Tuesday updates that require a SSU update before they can be successfully deployed. There SSU’s were a key technical and security dependency to other platform or application updates. Which caused deployment issues.
I mention SSU’s now, as they may be a thing of the past, with combined or “unified” updates from Microsoft. We have seen this for the past few months (since February). In fact, Windows 11 only offers the LCU/SSU unified option for its monthly update cycle.
Microsoft has published the following note on this combined update process:
“Beginning with the February 2021 LCU, we will now publish all future cumulative updates and SSUs for Windows 10, version 2004 and above together as one cumulative monthly update to the normal release category in WSUS.”
You can read more about this effort here.
You may not want to combine both the SSU and the LCU, and so Microsoft has offered the following advice to split up the deployments of these update packages:
  • To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
  • Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
If you are interested in the difference between the LCU update and the SSU update for the past May Patch Tuesday release, you can find the file manifest for each update here:

Leave a Comment

Your email address will not be published.

Related Posts

Patch Tuesday

Patch Tuesday Includes 6 Windows Zero-Day Flaws; Patch Now!

Microsoft this month released a significant update that fixes 68 reported vulnerabilities, including a record six zero-days affecting the Windows platform.

Read More
Assurance Dashboard

Assurance Security Dashboard November 2022

Here is our Assurance Security dashboard that shows the risk associated with this month’s Patch Tuesday updates.

Read More
Patch Tuesday

November Testing Guidelines

Each month the Readiness team analyses the patches applied to Windows, Microsoft Office and related technology/development platforms. We look at each update, the individual changes and the potential impact on enterprise environments. We hope that these testing scenarios offer some structured guidance on how to best deploy Windows updates to your environment.

Read More