This isn't the first time I've brought this up. In Summer of last year Microsoft had buggy Patch Tuesday updates three months in a row. There had been others that year, some of which crippled systems.
The following list includes problems observed in just the last six months:
- Microsoft's June patches broke Office Click-to-Run for some
- August Windows updates cause systems to go into reboot loops (among other problems)
- September Lync server security update may not install successfully
- A file synch issue in OneDrive for Business force Microsoft to pull and reissue an update
- An update to add SHA-2 hashing to Windows 7 and Windows Server 2008 R2 could cause system reboots
- New ciphers included with a security update to Schannel caused connections to drop and programs to become unresponsive
- October updates to Microsoft Word 2010 and 2013 could stop fields from updating
(*) - An Exchange 2010 update issued in December could stop Outlook from connecting to the server. It was withdrawn and reissued
- December update KB3004394 on Windows 7 and Windows Server 2008 R2 can cause an inability to install future updates
- December update KB2553154 for Office 2010 disables ActiveX controls
Update on December 15: They keep coming. KB3008923 describes problems with MS14-080, the December Cumulative Update for Internet Explorer:Known issues with this security update
- We are aware of some reports of functional issues on sites that use nested modal dialog boxes on Internet Explorer 11 that occur after you install this security update. Microsoft is researching this issue and will post more information in this article when the information becomes available.
- We are aware of some limited reports of Internet Explorer 9 crashing after you apply this security update. Microsoft is researching this issue and will post more information in this article when the information becomes available.
The MS14-080 security bulletin itself has no mention of any problems.
Update on December 15: Microsoft contacted me about the section above. They say that KB2920738, the article which explains the field updating bug in Word 2013, mistakenly attributed the problem to KB2889939 ([I]mproves localization in the Kyrgyz and Mongolian language versions..."). The correct article to point to is KB2889954 ("Hotfix KB2889954 for Word 2013 October 14, 2014 (Word-x-none.msp)"), which fixes a large number of Word bugs. Microsoft calls it a typo, (which I believe) and thanked me for pointing it out. KB2920738 has been corrected. I have had to cross out a big chunk of the story. The main point about the number and severity of updates stands unchecked. The Microsoft correction makes sense out of nonsense of their explanations.
Whenever I see a change like this in anything I try to ask myself if there really is a change or if we're just noticing it more than in the past. In this case, I think the only way it's only a matter of perception is if Microsoft has begun reporting update problems more than they have in the past. This is entirely possible, but I don't have any real evidence that it's the case.
With products as complex as Windows, Office and Exchange and a user base as large and diverse as theirs, there are always people complaining of problems caused by updates and it's inevitable that some users will suffer ill effects from even a well-designed and tested patch, because there are just too many configurations and third-party products for Microsoft to test.
There's another complication potentially at fault in these bugs: Microsoft silently patches many security problems.
If an undocumented function of an update were to cause problems it wouldn't be surprising for Microsoft to dissemble in their explanations. Of course I'm speculating here, but it's not like we have an official and logical explanation on which to rely.
I would assume that the people in charge at Microsoft know what the real problem is and aren't happy with it. In the long run, when almost all our software is in the cloud and managed, I think all patches will be silent and we won't know anything happened, other than perhaps a version number incrementing. Have there been any security bulletins for the online parts of Office 365?
In the meantime I have to figure that the update processes for Windows, Office and Exchange have become too complex and unwieldy. There's little Microsoft can do about it in the short term; they brought it on themselves, mostly by having excessively long support lifecycles. I wish I had some constructive advice with near-term benefits, but I think we're doomed to more of this sort of thing for the foreseeable future.
