Windows Cumulative Update Supersedence

Andres_cl 2023-07-13 15:25:04 UTC #1

Dear gurús:
“MS23-JUN: Cumulative Update for Windows Server 2019 - Windows Server 2019 - KB5027222 (x64) (Superseded)” was replaced by the new one “MS23-JUL: Cumulative Update for Windows Server 2019 - Windows Server 2019 - KB5028168 (x64)” because "Note: This update has been superseded by KB5028168 A security issue has been identified in a Microsoft software product that could affect your system. "

Is it possible to know what ‘security issue’ has KB5027222?

This is relevant to me to know because a customer has the policy of installing all June patches on QA systems and once qualified proceed to install on the production environment. However, in this case, during the qualification process we should install KB5028168 instead and I need some technical justification if available.

Thank you very much in advance,

Content Release: Patches for Windows - July 2023 Security Updates

JasonWalker 2023-07-13 16:40:43 UTC #2

Generally we’d refer to the Microsoft KB article for detailed info. There should be a link from the Fixlet to the article for the newer bulletin, i.e. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028168-os-build-17763-4645-eff2d1e1-5f91-4d9a-aef1-ae26bdf51321

Andres_cl 2023-07-14 14:38:05 UTC #3

Thank you Jason for the promptest reply. In fact I reviewed all the available documentation but I found nothing related to it. This leads me think that MS did not disclosed the security issue for safety/security reasons what I think it sounds reasonable.

Thanks again and great weekend for everyone.

Andrés.

JasonWalker 2023-07-14 14:51:25 UTC #4

I think that’s just boilerplate language Microsoft assigns for any update in the Download Catalog that addresses any security issue. Here’s the Catalog entry for KB5027222 -

To get the details of any given update, we have to check the original KB article (either the KB link in the Download Catalog, or the link we provide from the Fixlet in the console)

I checked several older fixlets, and that exact same verbiage is on every monthly rollup for Windows Server 2019 going back at least as far as the June 2022 rollup package. I don’t think this means there’s anything particularly “bad” about last month’s rollup package.

A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

The way I read these, is that the June 2023 Rollup Package resolved some security issues in Windows. The July 2023 Rollup Package also resolves some security issues in Windows. July 2023 corrects everything that the previous months’ packages correct, along with newly-discovered ones, and thus supersedes all earlier monthly rollups. That doesn’t specifically mean anything new or terrible was introduced in the June package, just that the July package does more.

JasonWalker 2023-07-14 14:53:49 UTC #5

(I’ve moved this thread into a new topic to avoid confusion on the July 2023 Patch Release Announcement thread).