What is included in a Microsoft patch?

Get a technical overview of what's included in each type of Microsoft patch, from security patches to updates to drivers in this book excerpt.

The complete patch management book Get a glimpse inside the e-book "The complete patch management book" by Anne Stanton, president of Norwich Group, and Susan Bradley, Microsoft Small Business Server MVP. This series of book excerpts will help you navigate Chapter 1, "What is patch management?," courtesy of Ecora. Click for the complete book excerpt series.

What is included in a Microsoft patch?

Let's roll up our sleeves, get technical and examine what is included in each type of Microsoft patch. Security patches, critical updates, updates, update rollups, drivers and feature packs fall into the general distribution releases (GDR) category. These go through testing across different platforms and applications to ensure proper functionality, and that the program or update that includes new features performs as intended. However, hotfixes developed by Microsoft Product Support Services for a specific situation are not as tested as those included in general distribution releases. Microsoft Knowledge Base articles, freely available from Microsoft Product Support Services, always accompany these QFEs.

In the Windows 2003 Server environment, the product update packages may include two or more copies of the same files to support two different types of install environments for a system. When the security patch, critical update, update, update rollup, driver or feature pack install, the installer package looks to see what files already exist on a system. Possible install environments include:

  • GDR environment:
    • Original released version (RTM)
    • Service pack version
    • General Distribution release
  • QFE environment
    • Hotfix

Having discovered the appropriate environment, the installer package installs the applicable file set. To see what version of a file exists in a Windows 2003 server environment, review the following formats:

File version Source of file
Srv03_rtm.mmmmmm-nnnn This file is from the original RTM version of the product and has not been updated by any security patch, critical update, update, update rollup, driver, feature pack or hotfix.
Srv03_gdr.mmmmmm-nnnn This indicates that the file is from a security patch, critical update, update, update rollup, driver, or feature pack and has not been updated by a hotfix.
Srv03_spx.mmmmmm-nnnn This indicates that the file is from a SP and has not been updated by a security patch, critical update, update, update rollup, driver, and/or feature pack.
Srv03_qfe.mmmmmm-nnnn This indicates that the file is from a hotfix.

In our server, we can see that the file on our server is a GDR version. Thus, it indicates that the patch engine did not find a hotfix and instead found a GDR version. For example, let's look at the file included in Security bulletin 04-024 (04 for the 2004 year, -024 meaning the 24th bulletin of the 2004 year). Find his bulletin at here and the sample below is the patch for the Windows 2003 platform. It includes updates to one file shell32.dll. Inside the installer package are two files. One expects that the server will still have one of the original dll's categorized as a GDR package the other anticipates a hotfix.

13-May-2004 00:07 6.0.3790.168 8,168,960 Shell32.dll RTMGDR This version is used to apply to servers that have original released version (RTM), Service packs or General distribution versions.

12-May-2004 23:29 6.0.3790.169 8,168,960 Shell32.dll RTMQFE This version is used to apply to servers that have received a hotfix version.

The shell32.dll File Version Window

While security bulletin 04-024 includes an update to only one file, many patches contain a series of files that replace existing files on a system. Other security patches may include a series of files needed to correct the condition. In the Security patch Microsoft Security Bulletin MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution (841873)12 the patch includes a series of files needed to remove the vulnerability from the system:

Date / Time / Version / Size / File name / Folder

08-Jun-2004 / 22:01 / 5.1.2600.105 / 48,640 / Browser.dll / RTMQFE
08-Jun-2004 / 22:01 / 5.1.2600.155 / 251,392 / Mstask.dll / RTMQFE
03-Jun-2004 / 22:54 / 5.1.2600.155 / 9,728 / Mstinit.exe / RTMQFE
08-Jun-2004 / 22:01 / 5.1.2600.122 / 301,568 / Netapi32.dll / RTMQFE
08-Jun-2004 / 22:01 / 5.1.2600.155 / 159,232 / Schedsvc.dll / RTMQFE
08-Jun-2004 / 22:02 / 5.1.2600.1564 / 260,096 / Mstask.dll / SP1QFE
08-Jun-2004 / 19:59 / 5.1.2600.1564 / 10,752 / Mstinit.exe / SP1QFE
08-Jun-2004 / 22:02 / 5.1.2600.1562 / 306,688 / Netapi32.dll / SP1QFE
08-Jun-2004 / 22:02 / 5.1.2600.1564 / 172,544 / Schedsvc.dll / SP1QFE
18-May-2004 / 03:46 / 5.1.2600.1555 / 593,408 / Xpsp2res.dll / SP1QFE

Applying new executables and DLL files introduces change into a stable system. As evident from the files listed above, the security update includes both executables and dynamic link library files. An .exe file is a file that a computer can directly "run" or execute. A DLL file contains a range of functions accessed by other Windows applications. The standard functions in the Windows Application Programming Interface (or API) are accessed using DLL files. This standardization eases collaboration among disparate applications. Without these building blocks, applications would look and act much differently. A DLL can have the extension of .exe, .dll, .drv or .fon. In any case, patching introduces new files and new code into a stable system. Thus, test to ensure that you have tested the install and uninstall processes, as well as any potential rollback issues.

Footnote: "Description of the contents of a Windows Server 2003 product update package," Redmond, Wash.: Microsoft Corporation, 2004, "Microsoft Security Bulletin MS04-022," Redmond, Wash.: Microsoft Corporation, 2004.

Click for the next excerpt in this series: Historical patch process window

Click for book details or get more information from Ecora.

Read more on Hackers and cybercrime prevention