Determining Patch Replacements

One of the benefits of Security Controls is that it only shows you patches that are necessary for your machine to be up to date, and it doesn't show you earlier patches that have been replaced by later patches (although you can configure the program to do this if you want).

Many recent Microsoft security patches have been released as 'Cumulative Rollup' patches. Rollup patches include all the previously released security patches for the given product as well as including fixes for the most recently announced issues. A cumulative patch that completely encompasses an earlier patch is said to replace the earlier patch. In order for a patch to be replaced, all the files in the earlier patch must be included in the later patch, all file versions must be revved higher than those in the earlier patch (or the file versions must be the same as the earlier patch), and associated functional registry keys must be included in the replacement patch.

The data definition file contains information on each of the replaced patches. Security Controls evaluates the patch replacement codes to identify patches that are applicable to each system being scanned. Particular attention is paid to replaced patches that span product level applicability. As an example:

  • Patch A is applicable to Windows 10 1709
  • Patch B replaces Patch A and is applicable to both Windows 10 1709 and 1803
  • Patch C replaces Patch B and is applicable to Windows 10 1803

Security Controls correctly scans for the presence of Patch C on Windows 10 1803 machines and for Patch B on Windows 10 1709 machines - even though Patch B is marked in the data file as being replaced by Patch C.