Missing SQL and .NET Oct Patches

SmokyMTN 2019-10-09 16:16:42 UTC #1

Where are the SQL and .NET updates Microsoft released this week?

Lots of issues it seems this month with BigFix’s release… or maybe I just never paid close enough attention.
Causing me some patching delays this week.

Chris

yipingliu 2019-10-09 17:41:28 UTC #2

@SmokyMTN, Microsoft did not release any SQL or .NET updates this week.

SmokyMTN 2019-10-09 18:10:24 UTC #3

WSUS reports:

10/08/19: SQL Server 2016 Service Pack 2 Cumulative Update (CU) 10 KB4524334
(but yeah, I don’t see mention in the MS release, other than SQL Server Management Studio)

These were also released to WSUS on the same date, 10/08/19

KB4524102 – 2019-10 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4524103 – 2019-10 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded 8 Standard and Windows Server 2012

KB4524104 – 2019-10 Security and Quality Rollup for .NET Framework 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2

KB4524105 – 2019-10 Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008

I guess that’s why I’m a bit confused. But… its Microsoft, not surprised.

Thanks for the help.

Chris

yipingliu 2019-10-09 18:15:12 UTC #4

@SmokyMTN,

Yea, the SQL patch is not a security update, just a regular SQL CU update from Microsoft, expect it to come out before week’s end.

The .NET patches aren’t actually new, in some cases Microsoft just tends to re-package the existing .NET updates and gives it a new KB.

SmokyMTN 2019-10-09 18:58:06 UTC #5

good to know. thanks for the help!

unfortunately though, our vulnerability reports will likely show the .net updates as not installed. thanks Microsoft!

Chris

bma 2019-10-09 20:17:26 UTC #6

Not sure what your vulnerability reports are looking for but the .NET KBs you have listed are not categorized as “Security Updates”.
Example: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4524102

Microsoft will have a .NET “release” every Patch Tuesday but as @yipingliu mentioned, old updates often get repackaged under a new parent KB number.

If there is a .NET security update release for a given Patch Tuesday, you would typically see it listed in Microsoft’s Security Update Guide.
https://portal.msrc.microsoft.com/en-us/security-guidance

Even if your scanner was looking for those specific .NET KBs that you have listed, the individual patch binaries are the same as when they were packaged under previous KB numbers. If your systems have had all the prior updates installed, your systems would block the install of any downloads from the new KB, again because the binaries are exactly the same.

bma 2019-10-09 20:38:04 UTC #7

A good way to see if particular .NET updates are in BigFix is to search for the wrapped KB numbers.

For example, if you go to the KB article for KB4524102, you will see that this KB wraps the following:

KB4507004
KB4507001
KB4515854
KB4515847

And searching in BigFix, you will find content for each of these.