Install sequence for KB4490628, KB4474419

Topic

New Reply

Hello all,

I’m an IT professional and a group B user.  I’ve been following the discussions regarding KB4490628 and KB4474419 trying to determine the installation sequence.

I agree with the reasoning for installing KB4490628 -the Servicing Stack Update – first and rebooting.   However, I don’t think the install sequence for KB4474419 – the SHA-2 Code Signing Support is quite as straight forward.

My main concern is accidentally regressing files in the March Security Only Update – KB4489885.    You can view the file dates in KB4489885 and KB4474419 by looking at the associated Microsoft KB articles and scrolling to “file information”.

There are a huge number of files in both patches, a lot of them common to both.   For the most part the files in KB4474419 have a February, 2019 date and lower version numbers than the files in KB4489885 which has mostly March, 2019 file dates.

So, it would appear that one should install KB4474419 before KB4489885 to avoid regressing the files in KB4489885.  But, lacking clear instructions, who knows for sure?

It would be interesting to hear from a group A user who installed KB4474419 and the March monthly rollup from Windows Update the installation sequence picked by WU.

Comments?

Reply | Quote

Replies

The Servicing Stack KB4490628 has to be installed exclusively (by itself). That is why it does not show up in the Windows Update queue until/unless there are no other pending updates (checked or unchecked). Since it should be installed first, there are two ways around this. You can download the SSU and install it manually first, OR you can hide the other remaining updates temporarily, check for updates, install the SSU, then unhide the other updates.

Given that you install the SSU first, the rest of the updates in the queue can be installed by executing Windows update. Component supersedence in the Windows Update mechanism will prevent what you call “regressing the files.” Windows Update will not overwrite a newer file with an older one.  So the remainder of the files can be installed without a reboot in between and the update mechanism will take care of the rest.

Reply | Quote

Thank you PKCano.   We are well aware of how Windows Update works.   You will note that I am discussing “Group B” users, i.e. those users who manually download the security only updates from the Microsoft Catalog and manually install the updates outside of Windows Update.  With this method, there are no WU controls to manage supersedence because we are not using Windows Update.

Without a doubt KB4490628 must be installed first and the system rebooted prior to proceeding any further.  No questions about that.

However, for “Group B” users, those users who are manually installing the updates downloaded from the MS Catalog, the question for KB4474419 is “should it be installed before or after the March, 2019, Security Only update KB4489885?” to avoid regressing the files common to KB4489885 and KB4474419.

That’s the question I’m trying to get answered.

If you are a group “A” user on Windows 7, perhaps you can look in WU at the installed updates log and tell us if KB4474419 was installed before or after the monthly rollup KB4489878.  That will tell us “B” users the correct install sequence.

Reply | Quote

You misinterpret what I said. The with the Windows updating mechanism, component supersedence prevents what you call  “regressing the files” whether you install through WIndows Update or install manually. Trust me. Install the SSU, reboot, then install the rest (SO, SHA-2, etc without the need to reboot in between). The updating mechanism will take care of it in the correct order, no overwriting newer files/versions.

Reply | Quote

By the way, you are going to need the pciclearstalecache file with the Security-only update. There is a procedure here for the installation, The Group B updates can be downloaded from the AKB2000003 link in that procedure as well. The download is a direct link to the MS Catalog.

Reply | Quote

OK, thanks for the clarification PKCano.  You were talking about hiding and unhiding updates so it appeared that the “Windows Update” (like in the Control Panel) your comments were solely around “Window Update”.

We are downloading and installing from the Microsoft Update Catalog by executing the MSU files.  For further clarification, since this is the Windows 7 forum, we are discussing Windows 7 SP1 Professional.

So, to be absolutely clear on the terminology (and to not belabor the point), AFTER installing KB KB4490628 and rebooting, we can then execute the MSU files to install SHA-2 KB4474419, Security Only KB4489885, etc. without rebooting in between and the “Windows update MECHANISM”. e.g. that which runs when rebooting (“Do not turn your system off”, etc.) will maintain the supersedence while the updates are being applied during the reboot sequence, not during MSU execution (or “Windows Update”).

There appears to be some confusion in the forums on what sequence to install the SHA-2 updates. Some people are installing KB4474419 by itself and rebooting, which may bite them at a later date.   Hopefully this will clear things up.

Regarding the pciclearstalecache file, we installed KB4099950 in March of 2018.  We see in the pciclearstalecache.txt file where the appropriate registry keys were successfully deleted.

It is my understanding that since we installed KB4099950, we don’t need the recent pciclearstalecache exe.

Edit: Removed HTML, was caught as SPAM, please view in Text tab before posting.

Reply | Quote

anonymous wrote:

So, to be absolutely clear on the terminology (and to not belabor the point), AFTER installing KB KB4490628 and rebooting, we can then execute the MSU files to install SHA-2 KB4474419, Security Only KB4489885, etc. without rebooting in between and the “Windows update MECHANISM”. e.g. that which runs when rebooting (“Do not turn your system off”, etc.) will maintain the supersedence while the updates are being applied during the reboot sequence, not during MSU execution (or “Windows Update”).

That is correct. If you run Windows Update, it doesn’t reboot between the patches. It goes through the same process as you do if you install manually without rebooting.

The pre-boot part of the installation (either through WU or manual install) “positions” the in-use files to be replaced. You can’t replace files that are currently in use. The actual “swap out” is accomplished on shutdown-reboot, and the update mechanism will handle the supersedence correctly to prevent what you call  “regressing the files” during the whole installation process.

Reply | Quote

Thanks PK. Hopefully this will help others as well.

Reply | Quote