This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I’m currently in the process of upgrading some Win7 machines from .NET 4.5.2 to .NET 4.7.2 and I’m looking into what .NET security updates will be required following the installation.
The https://devblogs.microsoft.com/dotnet/net-framework-monthly-rollups-explained/ blog states
“ The Security and Quality Rollup will contain all of the past updates for .NET Framework 4.5.x and 4.6.x.”
and
“Security and Quality Rollups and Security-only Updates contain the same security fixes. If you install the Security and Quality Rollup for a given month, there is no need to install the Security only Update.”
The blog is a few years old so I’d like to confirm that these statements also apply to 4.7.2?
In which case, would I only need to install either the latest 4.7.2 rollup to be fully up-to-date as far as .NET security updates go? Similarly if I had to rollback the framework to 4.5.2 would I’d just need the latest 4.5.2 roll-up?
Currently we deploy packages containing multiple security only updates and roll ups but reading the blog has me thinking that the latest roll-up alone should be sufficient.
Thanks
Ps. Apologies if I used the wrong tag, I struggled to find obvious ones for this post.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 93%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETO%3C/text%3E%3C/svg%3E)
Yes, the statements in https://devblogs.microsoft.com/dotnet/net-framework-monthly-rollups-explained/ are still true. If you install the Security and Quality Rollup for a given month, there is no need to install the Security Only Update.
After you upgrade to .NET Framework 4.7.2 then install the latest 4.7.2 rollup you will be fully up-to-date as far as security updates go. If you have to rollback to .NET Framework 4.5.2 then you would need to install the latest rollup for .NET Framework 4.5.2.
Thanks very much, Tara.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
The security updates contain all previous updates unless otherwise specified. You only need to install the latest one but it doesn't hurt to install the older ones either.
Thanks for the reply, @Michael Taylor . When you say “unless otherwise specified”, I’ve read the May ‘21 articles for 4.7.2/Win7 (KB5001848) & the parent (KB5001878) and it doesn’t mention any omissions. Is it safe to assume that omitted updates would be detailed in the rollup KB article?
I’ve also been looking at the Microsoft update catalog & what is slightly confusing is that the entry for the May ‘21 rollup (KB5001878) states that it replaces Oct ‘20 (KB4579977) & Jan ‘21 (KB4598500) but it does not mention the Feb ‘21 (KB4603002). Initially I wondered if that meant both Feb & May updates need to be installed which contradicts only needing the latest rollup. However, having read the articles, I’m now wondering if Feb is not listed there because the May rollup doesn’t include any additional security updates whereas it does when compared with the Oct & Jan updates (ie the May update will include the CVE-2021-24111 update that was first introduced in Feb). Is my understanding correct?
Yes, we usually only need to install the latest update. The newer updates will include all contents of previous updates
However, 2021-02 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 for x64 (KB4600945) is not a general security update, this KB is a Security Vulnerability patch for specific situation, I agree with your idea, install both of Feb & May updates.
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for the reply, @Teemo Tang .
Do you mean that the May rollup doesn’t include the vulnerability update for CVE-2021-24111 that was in the Feb rollup?
If so, and it’s the case that the latest rollup usually, but not always, contains all previously released security updates required, how do you determine which, if any, additional updates need installing given it’s not detailed in KB article (based on the May article not stating that it doesn’t cover CVE-2021-24111 if that is the case).
No, i didn't say May rollup doesn't include the vulnerability update for CVE-2021-24111, you know we can't know the specific content of a monthly rollup. I just suggest to install this KB separately to ensure your computer has vulnerability protection. Because I don't see KB4600945 appears in the list here: https://support.microsoft.com/en-us/topic/february-9-2021-kb4601347-monthly-rollup-c0ae9599-f93d-68ee-7542-0aa3564f3190
Thanks for clarifying, @Teemo Tang .
When you say ‘we can't know the specific content of a monthly rollup’ it suggests to me that I cannot be absolutely sure that the latest .NET rollup includes all previous .NET security updates as the Microsoft blog I linked to states, do you agree?
If I cannot be sure that the latest rollup is all I require, how can I find out which updates the latest rollup doesn’t include? For example, if I need KB4600945 as well as the May rollup, how would I know this without asking here?
The link in your last post as it looks to be a Windows update rollup not a .NET rollup, is that correct? KB4600945 does appear in the Feb .NET rollup article:
Just giving my last post a bump :)