Shortcuts: Microsoft SSU’s Explained

Greg Lambert provides some detail on the Microsoft SSU process and how Patch Tuesday and platform component updates have evolved.
When Microsoft first started released updates to the Windows Installer engine – I was confused. It was early in the process, and there wasn’t as much documentation as I needed. SSU’s or Servicing Stack Updates were a bit of a mystery. We talked about Patch Tuesday and Updates all of time – but SSU’s were an update to the update process.
Here is how the Microsoft documentation describes this “update to the update” process:
“Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the “component-based servicing stack” (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.”
This is description is not strictly accurate – now.
We are now seeing monthly updates to Windows Installer (see CVE-2022-30147). And, for the years we have had separate updates to the Windows platform (aka Patch Tuesday) and the CBS, SSU or service stack. For most releases, SSU updates are “always” rated as critical though they may not resolve critical vulnerabilities. Essentially the SSU updates the components that update your desktop and server. Unfortunately, we have many Patch Tuesday updates that require a SSU update before they can be successfully deployed. There SSU’s were a key technical and security dependency to other platform or application updates. Which caused deployment issues.
I mention SSU’s now, as they may be a thing of the past, with combined or “unified” updates from Microsoft. We have seen this for the past few months (since February). In fact, Windows 11 only offers the LCU/SSU unified option for its monthly update cycle.
Microsoft has published the following note on this combined update process:
“Beginning with the February 2021 LCU, we will now publish all future cumulative updates and SSUs for Windows 10, version 2004 and above together as one cumulative monthly update to the normal release category in WSUS.”
You can read more about this effort here.
You may not want to combine both the SSU and the LCU, and so Microsoft has offered the following advice to split up the deployments of these update packages:
  • To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
  • Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
If you are interested in the difference between the LCU update and the SSU update for the past May Patch Tuesday release, you can find the file manifest for each update here:

Leave a Comment

Your email address will not be published.

Related Posts


App Wednesday – June 2022

This monthly blog entry is aimed at mid-month Microsoft updates that includes patches, application updates, lifecycle changes and application related events. We will cover security issues that relate to applications and deployments as well.

Read More

DELL and Readiness: A growing partnership

Greg Lambert discusses the recent signing of the DELL Technologies global partnership agreement with DELL.

Read More
Patch Tuesday

Microsoft Delivers Solid Windows-Focused Updates for June’s Patch Tuesday

This month’s Patch Tuesday updates deal with 55 flaws in Windows, SQL Server, Microsoft Office, and Visual Studio, and include a zero-day vulnerability in a key Windows component.

Read More