Windows Server Update Services 3.0 SP2 Release Notes


Applies To: Windows Server Update Services, Windows Small Business Server 2011 Standard, Windows Server 2008 R2, Windows Server 2003 with SP2, Windows Server 2008 R2 with SP1

These release notes address the most critical information and issues about the Windows Server Update Services (WSUS) 3.0 Service Pack 2 (WSUS 3.0 SP2) release. This document contains the following sections:

What’s new in this release?

  • Integration with Windows Server® 2008 R2

  • Support for the BranchCache® feature in Windows Server 2008 R2

  • Support for Windows® 7 client computers

New features

  • Automatic approval rules include the ability to specify the approval deadline date and time for all computers or for specific computer groups.

  • Improved handling of language selection for downstream servers includes a new warning dialog that appears when you decide to download updates only for specified languages.

  • New Update and Computer Status reports let you filter updates that are approved for installation. You can run these reports from the WSUS administration console or use the application programming interface (API) to incorporate this functionality into your own reports.

Windows Update Agent improvements

  • Client computer scan time is faster than previous versions.

  • Computers that are managed by WSUS servers can now run “scoped” scans against those servers, instead of performing a full scan. This results in faster scans for applications that use Microsoft Update APIs such as Windows Defender.

  • User experience improvements help users organize updates and provide greater clarity on update value and behavior.

  • Imaged computers are more clearly displayed in the WSUS administration console.

    For more information, see article 903262 in the Microsoft Knowledge Base.

  • Prevents APIs that are called by non-local system callers in a non-interactive session from failing.

  • Prevents error code 0x80070057 when you try to install 80 or more updates at the same time from the Windows Update Web page or from the Microsoft Update Web page.

  • Improves scan times for Windows Update

  • Improves the speed at which signature updates are delivered

  • Enables support for Windows Installer reinstallation functionality

  • Improves error messaging

Known issues

When publishing an .exe update with an uninstall behavior, the client does not support uninstalling.

WSUS allows the WSUS admin to locally publish an .exe update with uninstall behavior. The client, however, does not support uninstalling .exe updates.

Server communication error appears after the WSUS installation wizard completes

In rare cases, the following error appears after the user is instructed to click Finish after the WSUS installation wizard has successfully completed:

  • An error occurred when communicating with the server and this wizard must be closed. You may restart the WSUS Server Configuration Wizard from the Options page in the WSUS console.

To make sure that your installation selections were saved, open the Options page on the WSUS administration console and confirm the settings in each section.

An error message appears when running update and computer status reports

The new update and computer status reports that were introduced in this WSUS 3.0 SP2 release are not functional in an environment where downstream servers that are running WSUS 3.0 SP1 are managed from a server that is running WSUS 3.0 SP2. If the new reports are run for a server that is running WSUS 3.0 SP1, the following error message appears:

  • An error occurred while generating the report. Try running the report again or contact your network administrator if the problem persists.

The new reports depend on API functionality that does not exist in WSUS 3.0 SP1; however, the administration console on a computer running WSUS 3.0 SP2 does not block the new reports when managing a server running WSUS 3.0 SP1.

WSUS 3.0 SP2 upgrade fails when SSL is configured without a certificate name

A certificate name is required if you are configuring the Secure Sockets Layer (SSL).

Windows Internal Database installed on Windows Server 2008 prevents upgrading to Windows Server 2008 R2

Before you continue with the upgrade to Windows Server 2008 R2, a Compatibility Report error message appears, which instructs you to turn off the Windows Internal Database. It is necessary to upgrade Windows Internal Database before the upgrade to Windows Server 2008 R2 can proceed.


For instructions and more information about upgrading Windows Internal Database, see How to obtain the latest service pack for Windows Internal Database.

Multiple download errors or repeated client computer synchronization failures occur

If client computers running WSUS 3.0 SP2 report multiple download errors or fail to synchronize with the WSUS 3.0 SP2 server for an extended period of time, you may have corrupted client download cache. To recover from this state, delete the client download cache from the file system and attempt to reinstall the update.

To delete cache and reinstall the update
  1. On the client computer, open a command prompt (Cmd.exe), navigate to %windir%\SoftwareDistribution\Download, and then delete all the files and subdirectories.

  2. Attempt to install the update by synchronizing the client computer with WSUS 3.0 SP2 again. This installation attempt should fail with the following error: WU_E_DM_NOTDOWNLOADED, "The update has not been downloaded."

  3. After this failure, the client computer will automatically restart the download and the installation will proceed.

Synchronization fails

If synchronization fails, your first course of troubleshooting action should be to try to synchronize the server again. If subsequent synchronizations fail, see the Issues with Synchronization section in the Windows Server Update Services 3.0 SP2 Operations Guide.

Changing the WSUS 3.0 SP2 configuration directly in the database is not supported

Windows Server Update Services stores its configuration data in a SQL Server database. However, changing the configuration data by accessing the database directly is not supported. Do not attempt to modify the WSUS 3.0 SP2 configuration by accessing the database directly. You should change the WSUS 3.0 SP2 configuration by using the WSUS 3.0 SP2 administration console or by calling WSUS 3.0 SP2 APIs.

Download failures are not reported quickly if disk quotas are turned on

If disk quotas are turned on and the quota is reached, update download failures on the WSUS server may not be reported in a timely manner. To avoid this issue, disable disk quotas or increase the quota.

If a downstream server is converted to an upstream server, catalog site updates must be reimported

When you promote a downstream server to be an upstream server, you must also reimport all catalog site updates. Otherwise the site will fail to synchronize new catalog site update revisions to this server.

If you are using IIS with SSL, unencrypted access is still possible

If you set up IIS to use SSL by installing a certificate, it is still possible to access the site through unencrypted HTTP unless the option Require Secure Channel is selected. For more information, see The Official Microsoft IIS Site.

Catalog site import fails

When performing a catalog site import, if the Network Service account does not have read/write permission for the %windir%\TEMP folder, the import may fail with an error message such as “Server was unable to process request. ---> Could not find file "C:\WINDOWS\TEMP\tempFileName.dll."

The Network Service account must have Full Controll permissions to the %windir%\TEMP folder.

Email notification fails without notice

If the network's email server is offline, WSUS 3.0 SP2 will silently fail to send email notifications. However, it will write event 10052 (HealthCoreEmailNotificationRed) in the event log.

See E-Mail Notification Failures for more information.

Changed settings are not pushed immediately to the downstream server

When an upstream server configuration is changed, it might take some time before configuration changes actually become effective. For example, if you change a setting on an upstream server such as selecting a new language, and you immediately synchronize the downstream server, the change will not appear. Instead, it will be pushed to the downstream server on the next scheduled synchronization. The wait time increases depending on the number of updates that are present on the upstream server.

The WSUS Administrators domain account is not deleted when WSUS is uninstalled

The WSUS Administrators group is created as a domain account (not a local account) on domain controllers, so all installations that use this domain account would be disabled if the account was deleted when WSUS is uninstalled. Therefore, uninstalling WSUS will not delete the WSUS Administrators domain account.

Uninstalling WSUS 3.0 SP2 does not uninstall the database

If WSUS 3.0 SP2 is uninstalled, the Windows Internal Database will not be uninstalled. The instance may be shared by more than one application, and it will cause other applications to fail if it is removed.

If it is necessary to uninstall Windows Internal Database, the following commands will uninstall the application:

(on 32-bit platforms)

msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe  

(on 64-bit platforms)

msiexec /x {BDD79957-5801-4A2D-B09E-852E7FA64D01} callerid=ocsetup.exe  

If you want to uninstall Windows Internal Database Service Pack 2 from Windows Server 2008 or Windows Server 2008 R2, you can do so by using Server Manager.

However, the removal of Windows Internal Databasedoes not remove the default .mdf and .ldf files, which will cause a subsequent WSUS 3.0 SP2 installation to fail. You can delete these files from the %windir%\SYSMSI\SSEE directory.

"Unknown" status updates are reported as "Not Applicable"

If a downstream server starts to synchronize from an upstream server, updates that have a status of Unknown will be reported on a new upstream server as Not Applicable. This state is temporary, and it will correct the next time the downstream server reports its status, after its client computers have synchronized with it.

The connection to all servers is lost when the Server Cleanup Wizard times out

It is possible to run the Server Cleanup Wizard on multiple servers from a single remote console. However, if the cleanup process times out on one of the servers, the console will lose its connection to all the servers. No data will be lost, but the administrator will need to reset the remote connection to each of the servers.

"There was no synchronization failure" error message appears in the Configuration Wizard

When you configure WSUS, you are required to connect to the upstream server (Microsoft Update or the intranet upstream server) to transfer basic information about the server. If you click Start Connecting and immediately click Stop Connecting, you will receive the incorrect error message “There was no synchronization failure.”

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2011 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, SharePoint, SQL Server, Windows Vista, Windows, and Windows Server are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.