Microsoft usually releases a list of non-security patches several days before the Black Tuesday rollout, but this month there was no information until several hours after the patches hit. That's a problem for users, particularly because Microsoft's track record with patches is so bad -- and this month is no exception.
Yesterday Microsoft released dozens of patches for Windows in 11 bulletins covering 26 individually identified CVEs (common vulnerabilities and exposures), including 10 in Internet Explorer, four re-released security changes, and nine changes to non-security patch installers. The .Net security bulletin alone gives rise to 10 different downloadable patches.
Not to be outdone, the Office team released a bewildering array of updates for Office 2013, including 13 security patches, two bulletins, and 42 non-security patches. Note that you must have Office 2013 SP1 before you can install any of these patches.
There's also a Security Advisory about Public Key Cryptography User-to-User (PKU2U), called KB 3045755.
It's still early in the game, but here are the problems I saw that cropped up overnight.
KB 3013769, the December 2014 update rollup for Windows 8.1 and Server 2012 R2, has been re-released as an optional update. Many people using Kaspersky Antivirus report that installing the patch triggers a blue screen: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (kl1.sys).
k|1.sys is a Kaspersky Antivirus network driver trace file.
This blue screen shouldn't come as a surprise to Microsoft. The same problem was reported back in December with the original update.
If you get a blue screen, the KB article -- now up to version 6.0 -- has a complex workaround that involves manually uninstalling Kaspersky Antivirus and applying the patch. Funnily enough, the step-by-step instructions don't mention re-installing Kaspersky.
In theory, KB 3013769 shouldn't try to install itself if it was successfully installed in the past. But I'm seeing reports that Windows Update is trying to install it again, even if it's listed in both Installed Updates and Update History. That's particularly unwelcome news if you're running a problematic version of Kaspersky Antivirus.
Poster Andres P on the Answers forum theorizes that "binaries WERE updated on MS Update site (this is a true) and technologies relying on WSUS/SCCM picked it up and deployed again (since original deployment deadline is passed)."
Microsoft also re-re-re-released KB 2990214, the high priority "update that supports you to upgrade from Windows 7 to a later version of Windows." The last re-re-release was last Tuesday, so Microsoft's churning through something. As I mentioned last week, this patch is supposed to make it easier to upgrade Windows 7 systems to Windows 10. Again, I haven't seen it offered on my Windows 7 PCs, but I may just be lucky. Or blocked.
Important note: KB 2990214 contains a new version of the Windows Update engine. Buried in the KB article, you can see that the update applies not only to Windows 7 SP1, but also to Windows Server 2008 R2. But the KB article confusingly admonishes: "This update for Windows Server 2008 R2 does not support you to upgrade to a later version of Windows." We're thus left with a patch to Server 2008 R2's Windows Update engine that, according to Microsoft, doesn't do what the KB article says it's going to do. That's a troubling situation, but not so unusual in the wacky world of Windows patches.
The Skype for Business rollout is a bit odd. Microsoft has been warning Lync users for six months that Lync is fading away, replaced by Skype for Business. Microsoft has an official Office blog about the transition. The software rollout, strangely, comes in the form of an optional patch, KB 2889923, which says, "After you apply this April 14, 2015 update, Lync 2013 will be upgraded to Skype for Business." Further down the page, the KB article advises you to also install KB 2889853, KB 2863908, and KB 2817430 after installing KB 2889923.
Here's where we start disappearing down the rabbit hole, because KB 2889853 also says, "After you apply this April 14, 2015 update, Lync 2013 will be upgraded to Skype for Business." I think that's inaccurate. If you chase your tail long enough, you may come to the conclusion that the former patch, KB 2889923, does the upgrading, and the latter patch, KB 2889853, "resolves an issue in which the 'Help isn't working' error occurs in Microsoft Skype for Business."
The second additional patch, KB 2863908, installs a fix for Lync that was released last month. The third additional patch, KB 2817430, is just Office 2013 SP1, which was released more than a year ago.
None of those patches appears in the official Windows Update/WSUS list.
Tobie Fysh has written a thorough guide to the nuts and bolts of moving from Lync to Skype for Business, which has additional recommendations for patching, including a registry change.
For those of you running a WSUS server, there have been reports of problems getting the April 2015 patches to sync on Server 2012 R2. The problem hasn't been acknowledged by Microsoft, and it isn't clear how widespread the problem might be, but the most recent reports are from early Wednesday morning.
The lack of advanced notification about non-security patches and missing KB articles at the time the updates rolled out the chute has turned into a significant problem. Microsoft abruptly ended advance notification of security patches in January. It seems that the only people who get advanced notice of coming patches are those who work for organizations that pay for Premiere Support. Now it's starting to look like the unwashed masses won't even get a chance to look at patch details until hours after they've been applied through Automatic Update. That's not in anybody's best interests.