Installation of kb4016635 Today, on Win Server 2016, is still relevant?

Question

Hello.
To make sure that all of our servers are protected of MS-17-010, I have to make sure that at list one of several hotfix's is installed on each server.
This is the list for 2016 servers, according to the link bellow the list.
Updates:
kb4013429, kb4016635, kb4015217, kb4019472, kb4022723
Link:
https://support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8
Of all the updates listed above, only kb4016635 is available.
When I've tried to deploy it via SCCM, i found that totally different update were installed - KB5007192. Which is the Cumulative Update for November 2021.
Tried to download the kb4016635 manually from Microsoft Update Catalog and install it, bring up an error that the update is not applicable for this computer.
Tried some ways to fix it:

1. Troubleshooting Updates.
2. sfc /scannow.
3. DISM etc - restorehealth.
4. Make sure framework 3.5 installed properly.
   Finally, i extracted the CAB file and install the package by this command:
   DISM.exe /online /add-package /packagepath:c:\update\kb.cab
   Which end successfully. but now i don't see this KB in my updates history.
   Now, the real question is if yet i must struggle install this particular KB?
   It's still relevant, or if last updates are installed, the system protected of MS-17-010?
   Or perhaps, the system is not protected, but there is another fix to patch it?

Answer 1

Each cumulative monthly update supersedes the previous month’s update, containing both security and non-security fixes.
https://learn.microsoft.com/en-us/windows/deployment/update/waas-overview

KB5007192 plus the out of band KB5008601 will bring it current.
https://support.microsoft.com/en-us/topic/windows-10-and-windows-server-2016-update-history-4acfbc84-a290-1b54-536a-1c0430e9f3fd

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Hello YosiCohen,

The KB4016635 has been superseded by a more recent patch:
https://support.microsoft.com/en-us/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722
This update replaces the previously released update KB4016635.

Meaning that looking at these "old" updates or vulnerabilities, like 2017 in this case, most of that KBs have been already integrated in cumulative updates and rollups, and even superseded by further versions.

My recommendation, is to check the CVS with file versions for the KB you want to install (in the option "file information for cumulative update") , and compare to the file version present in your system. If your version is higher it means that it does include the previous version patches.

---

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

Thanks for replaying.
But just to make it sure for me, i'll ask:

Since KB4015217 is not available as well, and KB5007192 had been installed on the server.

As long as i have installed the last updates on the servers, that's means that it's patched all old CVE'e, even it's skipped all relevent updates which was suppose to containe it?

Why do i ask?
Because the CVE page (The link above) mention few specific KB's that contains that patch. and updates follows eache others. otherwise any yeare the comulative updates will grow way too much.
So, i must understand and get it clear for those servers which missed big portion of the chain.

Answer 4

Thanks a lote!