Supersedence in Windows Updates is a mechanism Microsoft uses to manage and streamline the application of patches and updates. It ensures that systems stay secure and up to date while avoiding redundancy by replacing older updates with newer ones. Here's a detailed explanation:
What is supersedence?
Supersedence occurs when a newer update replaces one or more older updates. The newer update typically includes:
- All fixes and improvements from the older update(s).
- Additional enhancements or fixes not present in the older updates.
The older updates are considered "superseded" and are no longer required if the newer update is applied.
How supersedence works
-
Cumulative Updates:
- Microsoft primarily uses cumulative updates for Windows 10 and later. These updates include all previously released fixes for a given version of Windows. For example: A cumulative update released in March 2025 contains all fixes from updates released in January 2025, February 2025, and earlier.
-
Component-Based Servicing (CBS):
- Windows updates are managed by the Component-Based Servicing stack, which tracks the state of system components and ensures that only the latest versions are applied.
- CBS automatically determines whether an update is needed by evaluating the component versions on the system.
-
Update Metadata:
-
Each update includes metadata that defines its relationship with other updates. This metadata specifies:
- Whether the update supersedes older updates.
- Whether the update can be applied independently or requires prerequisites.
-
Each update includes metadata that defines its relationship with other updates. This metadata specifies:
-
Update Catalog:
- Supersedence relationships are documented in the Microsoft Update Catalog, where you can see which updates have been replaced by newer ones.
Key scenarios
1. Monthly Quality Updates
- These include security fixes and non-security improvements.
- Each month's update supersedes the previous month's update for the same Windows version.
2. Security-Only Updates
- Released for environments requiring strict control over updates.
- These updates typically do not supersede each other unless explicitly stated.
3. Feature Updates
- Major updates (e.g., upgrading from Windows 10 21H2 to 22H2) supersede older feature updates but are not cumulative across different versions.
4. Optional Updates
- Updates for specific features, drivers, or non-critical issues may also have supersedence metadata.
Supersedence example
- January Update (KB5000001) fixes vulnerabilities A and B.
-
February Update (KB5000002) fixes vulnerabilities A, B, and C and supersedes KB5000001.
- Applying KB5000002 means KB5000001 is no longer needed, as its fixes are included in KB5000002.
How it affects patch management
-
Windows Update and WSUS:
- Automatically manage supersedence by showing only the latest applicable update.
- Older superseded updates may not appear unless specifically configured to show them.
-
Cumulative Nature:
- If a system misses a few updates, applying the latest cumulative update brings it fully up to date, as it contains all prior fixes.
-
Third-Party Tools:
- Tools like SCCM, Qualys, or Tenable may flag older updates if they don't fully account for supersedence relationships.
Benefits of supersedence
- Efficiency: Reduces the number of updates that need to be installed.
- Consistency: Ensures systems are uniformly patched without gaps.
- Reduced Reboots: Minimizes the number of reboots required to apply updates.
Challenges and misunderstandings
-
Visibility of Superseded Updates:
- Superseded updates are hidden by default in Windows Update and WSUS, which can confuse administrators if they are unaware of the mechanism.
- VM tools may report superseded updates as "missing" if they don't properly align with Microsoft's supersedence logic.
-
Custom Configurations:
- Environments using security-only updates or customized WSUS policies may encounter complexities with supersedence.
-
Outdated Systems:
- For systems significantly behind on updates, applying a single cumulative update may not be feasible, requiring intermediate updates.
How to check supersedence
- Microsoft Update Catalog: Search for an update and review its "Superseded by" or "Supersedes" sections.
-
Windows Update Logs: Use PowerShell to retrieve and analyze Windows Update logs:
Get-WindowsUpdateLog