Surprise Patch KB 3005628 Bodes Ill for Microsoft's Patching Strategy

Out-of-band patch, which fixes errors 0x800F0906 and 0x800F081F in .Net Framework 3.5, is a troubling disruption in Microsoft's patching strategy

Yesterday Microsoft released patch KB 3005628 for Windows 8, 8.1, Server 2012, and Server 2012 R2. It's a trivial, non-security patch. The fact that it wasn't kept and issued in the normal cadence (patches usually arrive on Update Tuesday, which is next Tuesday) points to either an accidental release to the Automatic Update chute -- which we've seen before -- or an unwelcome switch in Microsoft's patching strategy. Either possibility is troubling.

The patch's sole reason for existence is to remove two earlier botched patches -- KB 2966827 and KB 2966828 -- which were part of August's MS14-046, a multifaceted "Important" patch for .Net Framework 2, 3, 3.5, and 3.5.1. (Important, in Microsoft patch-speak, means that it wasn't important at all, of course.)

According to the Microsoft KB 3005628 article:

This update resolves an issue that prevents the Microsoft .Net Framework 3.5 feature from becoming enabled after security update 2966827 or 2966828 (described in Microsoft Security Bulletin MS14-046) is installed for the Microsoft .Net Framework 3.5. This update applies to Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8

Update 3005628 removes security update 2966827 or 2966828 from any system that does not have the .Net Framework 3.5 feature content installed on Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8. After the release of update 3005628, security updates 2966827 and 2966828 will be offered only to applicable systems that have the .Net Framework 3.5 feature enabled.

In other words, it's a simple Fixit that uninstalls two bad patches. Microsoft has a TechNet post on the 0x800F0906 error, and ricktendo64 on My Digital Life shows how the whole patch is just a simple uninstaller.

What's going on here? I mean, installing patches to .Net is always a bear, and August was a horrendous month for botched patches. But why was this particular patch released to the Automatic Update (and Windows Server Update Services) chute, unannounced, on the first Tuesday?

In the good old days -- two months ago -- out-of-band patches like this one on the first Tuesday of the month were usually reserved for major security problems that had to be dealt with immediately. They were frequently accompanied by security advisories, dire warnings, white papers, and press conferences (or the Microsoft Security Response Center's equivalent to press conferences).

This patch marks the second Tuesday in a row where Microsoft has released trivial out-of-band patches. Last Tuesday, Sept. 30 -- the fifth Tuesday in September -- brought a little-noticed patch, KB 3001554, which was said to "improve customer experiences" for DVD playback in Windows 7. At least, I think that's what it's for. Microsoft's inscrutable description led several people to conjecture that it's just another snooping effort on Microsoft's part.

That makes two out-of-band patches on two consecutive Tuesdays that do very little. (KB 2998527, released Sept. 23 -- the fourth Tuesday of the month -- follows the old pattern of security patches on the second Tuesday, other patches on the fourth Tuesday.)

Perhaps, in this brave new world leading to Windows 10's faster-paced releases, every Tuesday has become Update Tuesday.

Oh boy.

This story, "Surprise Patch KB 3005628 Bodes Ill for Microsoft's Patching Strategy" was originally published by InfoWorld.

New! Download the CIO March/April Digital Magazine