Please help me understand Window Server Updates and Cumulative Updates

Anonymous
2024-10-11T18:14:22+00:00

Hello!

Can someone please help me better understand how Windows updates and cumulative updates work? And, help me understand how to prove an update has been installed?

Our company recently underwent a third-party security risk assessment which found a CVE-2024-38193 vulnerability for one of our WS2019 Std. servers (current OS build: 17763.6414).

When I look up that vulnerability here [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38193] -- and search for WS2019 in the "Server Updates" section -- it shows the appropriate update/patch as KB5041578. 

thumbnail image 1 of blog post titled                                              Understanding Window Server Updates and Cumulative Updates

That update does not appear when I view the update history in Windows Update on the server.  Nor does it show up if I use cmd/PS to list installed updates.

I don't know much about how the Windows Update system works, but I assume the update/patch I'm interested in gets included in the next cumulative update. I can't seem to find anything that can confirm (or refute) the assumption.

The table in this page [https://learn.microsoft.com/en-us/windows-server/get-started/windows-server-release-info] shows the KB value I referenced, as well as the OS build we're running.

thumbnail image 2 of blog post titled                                              Understanding Window Server Updates and Cumulative Updates

Is it safe to assume the updates included in KB5041578 are included in build 17763.6414 or a cumulative update that was released after 2024-08-13 (KB5043050)?  If so, can someone point me to documentation indicating so?  I'd like to be able to show the appropriate update has been installed to mitigate the vulnerability identified.

Thank you!

Windows for business | Windows Server | Devices and deployment | Install Windows updates, features, or roles

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2024-10-14T06:14:17+00:00

    Hello  -Adam,

    Thank you for posting in Microsoft Community forum.

    Windows Server Updates and Cumulative Updates

    1. Types of Updates
    • Quality Updates: These are regular updates that include security updates, bug fixes, and improvements.
    • Cumulative Updates: These packages include all previous updates (both security and non-security) released for that operating system. Installing the latest cumulative update brings your system up to date with all previous fixes.
    1. Cumulative Updates for Windows Server

    Cumulative updates can be monthly, and they include all previous patches, meaning you only need to install the latest cumulative update to get all prior fixes. For example, a cumulative update in August will include all changes from previous months, so you don’t need to install individual updates released before it.

    Understanding your Situation

    CVE-2024-38193 Vulnerability

    You are concerned about mitigating the CVE-2024-38193 vulnerability. You identified KB5041578 as the relevant patch for Windows Server 2019 to address this CVE.

    Current OS Build

    • You mentioned your server is running OS build 17763.6414.
    • It's essential to understand build numbers; they help you determine the exact update level of your system.

    Given your server’s current OS build is 17763.6414, you can cross-reference this with the latest cumulative update and its included patches to ensure CVE-2024-38193 is mitigated. If KB5041578 is included in a cumulative update that came after your current build, your system should already be protected.

    If your current OS build is 17763.6414, and if this build number matches the build number mentioned in the documentation for KB5041578 (e.g., if KB5041578 was included in a cumulative update that resulted in build 17763.6414), you can confidently say that the update has been applied.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Haijian Shan

    0 comments No comments
  2. Anonymous
    2024-10-14T19:32:31+00:00

    Thank you for your reply. It is helpful, however,. . . .

    "you can cross-reference this with the latest cumulative update and its included patches"

    Can you please point me to this? Apologies if I'm missing something obvious, but I can't seem to find something showing the previous updates/patches included in a particular update.

    Also, . .

    "If KB5041578 is included in a cumulative update that came after your current build"

    Just to be clear, did you mean before my current build?

    Is it basically fair to say since KB5041578 (released 8/13) came before my current build (17763.6414), its patches are undeniably included in my current build (somewhat illustrated in the 2nd screenshot above)?

    Thanks, again, for your help!

    -Adam

    1 person found this answer helpful.
    0 comments No comments
  3. Anonymous
    2024-12-16T03:07:19+00:00

    To cross-reference cumulative updates and the patches they include, you generally need to look at the official documentation provided by Microsoft. The Windows updates documentation typically includes detailed information on what patches and fixes are included in each cumulative update.

    1. Windows Update History: This is usually the best place to look. You can search for your specific Windows version (e.g., Windows 10 version 1809) on the Windows 10 update history page.
    2. Microsoft Update Catalog: Another useful resource is the Microsoft Update Catalog. Here, you can search for specific KB numbers or cumulative updates and find detailed information about what they include.

    Since KB5041578 (released on 8/13) came before your current build (17763.6414), its patches are undeniably included in your current build. This is because cumulative updates incorporate all the changes from previous updates, ensuring that you have the latest patches and fixes.

    0 comments No comments