Servicing Stack Updates (SSU)

Corrine

Administrator,
Microsoft MVP,
Security Analyst
Staff member
Joined
Feb 22, 2012
Posts
12,394
Location
Upstate, NY
Servicing Stack Updates (SSU) seem to cause a lot of confusion. Users see posts mentioning a SSU update but when viewing Update History, only the latest Cumulative Update is listed. So, what is the Servicing Stack and why are the updates important?

What is the Servicing Stack?

Simply stated, the Servicing Stack is what actually installs Windows Updates. However, it also contains the "component-based servicing stack" (CBS). The CBS is key to DISM, SFC, as well as changing Windows features or roles, and repairing components.

Why are the SSU Updates Important?

The Microsoft Docs article referenced below explains the importance of SSU's as follows:

"Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes."

As an example of a SSU update, following are the issues addressed in the July 26, 2019 Servicing Stack Update for Windows 10, 1903 x64-based Systems:
  • Addresses an issue in which an update may not install with certain other updates and upon start up after installation of the other updates, will require a second scan of Windows Update and a second restart to complete installation.
  • Addresses an issue in which reserved disk space may not be returned to free space when installation of Language Packs or Features on Demand (FODs) fails or is canceled. The disk space is returned to free space when Storage Sense is run.
  • Addresses an issue when Windows Update Check for updates is run during the installation or uninstallation of an update, Features on Demand (FODs) or Language packs, which may cause the installation to fail and may cause a restart to take up to an hour.
Getting the SSU:

When there is a Servicing Stack Update released with security or cumulative updates, the updates are automatically installed with Windows Update (you won't see the SSU offered in the list of updates available). Because each Servicing Stack Update replaces the complete "stack" they do not require a restart.

If you are unsure whether you have the latest Servicing Stack Updates installed, the list of SSU's is at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001. Locate the update for your operating system. Clicking the KB number will take you to the update, which includes the date of the last update. You can now find the date of the last update on your device in the link to "View installed updates" located in Programs and Features of the Control Panel.

References:
 
Many Vista users have been updating their computers with server updates. Many vista users want to have the advantage of Windows Defender as well as third party Anti-virus program other than AVAST. So they do not install MSE as signature definitions of MSE are assumed to be same as those in Windows Defender. Users run Windows defender along with a 3rd party Anti-virus. If MSE is installed then Windows Defender is turned OFF automatically.

Since 2018 or so Windows Defender won't get updated unless the computer is installed with SSU update KB4493730 or the latest ones (KB4537830 - I am yet to try this one) and KB4474419 (SHA-2 Code). But then these 2 are server updates and it will change the build of Vista machine from 6.0.6002 to 6.0.6003. So far so good.... Then the real issue comes up when due to some reason user may need to go for a system restore to a restore point back in time. The computer ends up with a Black Screen of Death with a cursor -- a Black screen after log-in and before coming to Desktop (ie, it never makes it to the Desktop). But if the restore point is beyond the point when these 2 updates - SSU and KB4474418 were installed (ie at a time when computer was of build 6.0.6002), System restore succeeds in bringing the computer to that point.

Only if SSU and KB4474419 were tagged as Windows Vista updates and not only as Server 2008 updates, users would have been happy with their computers.
It is an unsupported and outdated system, but Vista users know it as one of the best systems. It is understood that whenever a new Windows OS is to be designed by MS this OS - Windows Vista is taken as a reference point to begin with.
Anyway, it is for Microsoft to decide what it wants and what its users get. Till then, any possible work-around?
 
For Win Vista OS, WSUS Offline version 10.9.2 can be used to update Windows Defender till March 2019 without changing it over to a server machine ( ie, Win version 6.0.6002 is maintained). A server machine would be 6.0.6003.... which is not the case. So far ... so good...

Win Defender - Before.jpg
Figure 1 - Win Defender - Before

Win Defender - After.jpg
Figure 2 - Win Defender - After WSUS Offline ver 10.9.2

Win Defender After Details.jpg

Figure 3 - Win Defender - After - Details

Vista Build.jpg

Figure 4 - Win Defender - After - Win Version Details

Further, to update Win Defender in Vista till date (March 2020), there must be some way ...... yet to explore...
 
Alright.... so that is ... as far as we can get.... some had made it till October 2019.... Support or no support.... Computing never goes out of style!

This thread may be closed with any further concluding remarks/comments. The query is answered/resolved. Thanks.
 
Though the article is dated March 10th and I saw Windows 7 listed, when I went to the catalog,
Microsoft Update Catalog
the date appears to be Feb. 10th. Did MS get the month wrong or the KB number incorrect?

The last SSU I did was in January
Microsoft Update Catalog

I assume that since I can't buy patching for my home systems I don't need this February or possibly March update.
 
I don't think that the Update Catalogue is maintained properly now, I was searching for an update package and it didn't appear in the listing.
 
Aha .. ha ... now we are seeing something beyond policy statements....

And what about this one....coming back to Windows Defender ... Vista ... take a look ...

Latest security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence

Isn't Signature definition updates for Win Defender for Win 7 and Vista being officially forwarded for updating manually...?
Then why is it not getting updated ? Incorrect path ? Has anyone tried it out?
Tell you what ... if the computer is 6.0.6003 (server), it gets installed... in Vista ...but if the computer is 6.0.6002 -- it does not get installed.
Now any further MS Policy statement I may have missed?
And then talk of Server updates and SHA-2 tags and SSU .... !!!

MS keeps the users of Vista & Win 7 in total confusion...
Why? Any guesses???

MS is in a mess... may be!... May be not!
Perhaps MS is in the process of sorting out things...

So ..... Wait & Watch ... Don't give up !
 
I don't use Windows Defender because it isn't good on Windows 7. Please note I'm not talking about Windows defender on Windows 8.1 and 10 which has the same name but is not the same program. I installed MS Security Essentials and it is getting updated automatically on our four Windows 7 computers. It worked the same on XP computers after monthly patches stopped.
MSSE.jpg
As you can see it gets updated automatically every 2 days.
 
Thanks ... for the info.. and a boost to keep going... Yes, MSE is an anti-virus and an anti-spyware whereas Win Defender is only an anti-spyware. And when MSE is on, it turns off Win Defender. Win Defender had a Software Explorer kind of a feature -- an anti-exploit or a software Inspector kind of a program that monitored any changes upon installation of any program and its start-up entries -- a sort of start-up manager. At the same time it used to rate / check digital sign, verify , etc and a spynet community was there to oversee... By the way, I have Turned off the Win Defender on my Vista for the moment to keep off the nagging screen with red shield on Security Center indicating Win Defender is OUT OF DATE. Everything else is fine ... No virus .. no malware.... cyber world is virtual. No harm at all.... to try and learn...

And as far as Microsoft Update Catalog is concerned, some updates that are not found on it ... are found on MS Knowledge Base Articles floating on the net.. or on some web-sites other than MS. .. unless it is totally withdrawn by MS ...Surely, MS needs to keep its archives properly... digitalized... stored in soft copies... the only question is -- which OS will they rely upon to do so??!! Ha ha .... a bad joke! .. ( I am not a computer -pro). Every technology has its own problems... Live with it!
 
If you expect to get updates for MS Security Essentials in Vista, I don't think that will work.
The only reason, I suspect, that it is working in Windows 7 is because MS has committed to supporting it until sometime, probably January of 2023 to businesses that pay for support. Probably MS Security Essentials will be updated thru Jan 2023 on any Windows 7 computer.
31% of desktops/laptops are still using Windows 7.
0.15% are still using Vista so there isn't incentive to support Vista.
Source: Operating system market share
 
Let me summarize -----

Signature definitions for Vista are available and forwarded by MS as mentioned in the link (post #10). It can be updated manually & automatically if update KB4474419 (SHA-2 Code) for server 2008R2 is installed switching Vista PC from 6.0.6002 to 6.0.6003. Everything works fine if done so. But as mentioned earlier in post#3, now the machine becomes a server machine (6.0.6003) and if a System Restore is attempted it fails .... System Restore is possible only to tumble back to a Restore Point where PC was 6.0.6002 (Vista)... This was the issue taken up.

Then attempts to go for signature definition updates were made keeping the machine as 6.0.6002 (Vista) and not as 6.0.6003. Could not get beyond March 16, 2019 as far as Signature Definition updates are concerned. Some users I gather from net succeeded only up to October 2019 in this manner.

The point is -- if user has to follow the SHA-2 tagging for Vista ... machine cannot get signature updates. In which case, MS displaying its policy that computers must have SHA-2 code to get updates hits a blank (for signature definition updates) and at the same time MS is forwarding Signature updates for Vista that can be installed manually/automatically.

It is not an issue with Win 7 because Win7 has been offered KB4474419 (SHA-2 Code) exclusively but the same has not been made available for Vista.

KB4474419 (SHA-2 Code) is available is for Server 2008R2 which can be installed on Vista (cutting across the MS policy line switching the machine from 6.0.6002 Vista to 6.0.6003 - server) . Vista was known as a server machine earlier. Server updates were compatible in Vista. But somewhere down the line MS policy was to demarcate Vista & Server updates so that machine can be identified as Server or Vista and it made a huge difference in updates coming through Windows Update in Vista Machines. By switching to server machines many users kept Vista alive with latest security updates and other updates despite no support for Vista by MS. Users do not want to give up on Vista as yet.

But this can be seen as "Bad Practice" although workable for some time even after support for Vista was given up by MS.

The point is ----

--- if MS was to offer an update KB4474419 for Vista just the same way as it did exclusively for Win7 and server 2008R2, the very same signature updates that are offered for Win7 & Vista can be installed for Vista keeping the machine as Vista (6.0.6002). Those signature updates are not getting installed on Vista although MS is offering it clubbed along with Win 7. MS does not know this fact? Many Vista users are waiting for MS to realize it and correct it.So Vista users are in Wait & Watch mode --- hoping that MS will do it as similar issues were dealt with by MS after a long wait / delay. Vista users are confused with MS policies but are hopeful and waiting. Vista users have not given up yet!

Users resort to bad practice when good practice is not workable. In this case, the ball is in MS court as MS policies does not seem to have been fully implemented. ( I hope I am wrong).

For information only, many users are still using and happy with Win XP.

I am not the one to conclude with remarks -- I will switch to Linux or Android / Smartphone.

So the best I can think of --- is to attempt a clean install after doing some trials of installation of some freewares that I intend to use in future. This way I will come to know if my machine is at fault or I am coming to wrong conclusions and the fault is not in MS or anything else... say some good practice is missing...

With this positive remark, I shall get back .... after 2-3 months to see where are we .... So long happy computing ...

And ... by the way, in post#3, I made a wrong mention of KB4474418 whereas it was supposed to be KB4474419-v4. It was a typo- error but if some reader is to search for it in microsoft update catalog, he may be wasting his time and effort. The error is completely from my side. Inconvenience to any reader/ MS / Forum is deeply regretted.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top