Microsoft’s patching cycles revolve around Tuesdays. For the past couple of years, Microsoft has been trying to recast the Gregorian calendar in some sort of “A week” / “B week” nonsense, but if you just look at Tuesdays, you’ll start off on the right foot.
On the first Tuesday of the month, Microsoft usually releases non-security updates for the installed (“MSI”) versions of Office. They’re usually not checked in Windows Update, so they don’t install automatically.
On the second Tuesday of the month – Patch Tuesday – Microsoft usually releases:
- Cumulative updates for the various versions of Windows 10, which roll out through Windows Update. These combined security and non-security patches are “cumulative” in the sense that, if you install one of them, you’re caught up on all of your patching obligations for that particular version of Win10.
- Monthly Rollups for Windows 7 and 8.1, which appear checked in Windows Update, so they install unless you’ve turned off Automatic Update. They also contain security and non-security updates, and they’re cumulative (although they may not include some very old patches).
- Security-only patches for Win7 and 8.1. These are only available for manual download and installation. They aren’t cumulative.
- Security patches for the installed (“MSI”) versions of Office, which are checked and ready for automatic installation. Around the second Tuesday, the non-security Office patches are generally changed to appear as checked in Windows Update, so they will install unless you have Automatic Update turned off.
- Finally, Office Click-to-Run (C2R) usually gets updated on or around the second Tuesday of the month. If you have the C2R version of Office (as opposed to the installed “MSI” version), you are automatically updated through the Office updating mechanism, which is outside of the usual Windows Update channel.
Lately, the third Tuesday of the month, give or take a day or two, brings fixes for bugs introduced on the second Tuesday of the month.
Also on the third Tuesday, Microsoft releases a “Preview of Monthly Rollup” for Win7 and 8.1 – a collection of non-security bug fixes that (if all goes well) will reappear on the second Tuesday of the following month. Notably, Microsoft hasn’t released a significant new feature for Win7 or 8.1 for at least a few years. Other than bug fixes, time zone changes and the like, the only non-security modifications we’ve seen are designed to increase telemetry.
Finally, sometime between the third and fourth Tuesdays of the month, each Win10 version gets a second (or third) cumulative update for the month. These cumulative updates are supposed to include just bug fixes, not security patches.
Mind you, that’s the theory. In practice, things are much messier. If you include the patches, pulled patches, re-issued patches, re-directed patches (with changes in “metadata”), plugged IE holes and .NET patches, we see something new on roughly half of the business days in a typical month. Most of the changes are undocumented or nearly so.
Nowadays, newer Win10 versions get three or even four patches, fixes and re-patches per month. Multiply that by three current versions (1703, 1709 and 1803), and there’s a whole lot of Win10 patching going on. It’s a wonder Microsoft can keep all of the balls in the air.