CA Client Automation

  • Private Community
 View Only

 KB in July's IntelliRollup but not in later rollups

Jump to Best Answer
jcsolis's profile image
jcsolis posted Nov 23, 2023 11:02 AM

Good day. I hope everyone is doing well.

This is my first post and I write because we have a doubt regarding a KB that was included in July's IntelliRollup but wasn't included on subsecuent ones (August, September, October).

The KB I am talking about is KB5028223 and this is the link:

https://support.microsoft.com/en-us/topic/july-11-2023-kb5028223-security-only-update-be9f12d1-3394-46ef-83fb-ebe84a25510a

We did some investigation about this and apparently the same vulnerabilities are patched with KB KB5028228 (July's Monthly Rollup):

https://support.microsoft.com/en-us/topic/july-11-2023-kb5028228-monthly-rollup-b7ee35a2-91ab-4e36-8e46-7c616d1bd4e4

We know this is for Server 2012 that is ending support soon, but the thing is that we were assuming that this Rollups are cummulative and applying the last one will make the server (or pc) up to date. In this specific server, we didn't apply the July rollup and went directly with October's rollup, but our Security Team (which uses Tenable) is telling us that the KB mentioned above is missing on the server.

This oppened up the discussion about if IntelliRollups are really cummulative or not and if it will be necesary to apply every IntelliRollup to be sure the machine is getting correctly updated, and not just the most recent one.

Does anyone has an idea as of why this specific KB was included in July but wasn't on subsecuent IntelliRollups?

Thank you very much in advance and sorry for the long post.

Regards.

Venkata Chelluboina's profile image
Broadcom Employee Venkata Chelluboina posted Nov 24, 2023 06:53 AM Best Answer

Good day Jcsolis.

Thanks for bringing this issue to our notice. IntelliRollups are cummulative. KB5028223 is missed in our internal INI preparation and marked as superseded by Aug 2023 patch has caused the issue.  Now we included this patch to the October 2023 rollup and republished. Please recycle CA Content Import Client service and Accept the rollup "CA - Patch Me - Security IntelliRollup v2310.00". Or as you already deployed the v2310 rollup, deploy the individual patch "2023-07 Security Only Update - Windows8.1-KB5028223-x64" also addresses the problem.

Regards,

Venkata

jcsolis's profile image
jcsolis posted Nov 24, 2023 08:09 AM

Thank you very much Venkata.

That is great. We will be deploying the individual patch to this server, but is good to know that it is going to be included in October and next IntelliRollups.

Best regards.

Venkata Chelluboina's profile image
Broadcom Employee Venkata Chelluboina posted Nov 26, 2023 11:53 PM

Good day Jcsolis.

As I mentioned in the previous reply,  we already included the patch in the October 2023 intellirollup (CA - Patch Me - Security IntelliRollup v2310.00) and republished.  

From Nov 2023 onwards, we don't include the Windows Server 2012 R2/2012 ESUs in the regular Patch Me intelli-rollup package. We are maintaining a separate intelli-rollup for Extended Support Updates (ESUs) for the End of Support OSes. Please use the  "CA - Microsoft OS Extended Support Update - IntelliRollup v2311.00" to patch ESUs until Nov'23 for Windows Server 2012R2/2012/2008R2/2008.  Ensure that intelli-rollup v2310.00 rollup should be deployed prior to the "CA - Microsoft OS Extended Support Update - IntelliRollup v2311.00" for Windows Server 2012 R2/2012 OSes.


The following information has been provided in the release notes of "CA - Microsoft OS Extended Support Update - IntelliRollup v2311.00".

Note: Microsoft announced support for Windows Server 2012 and 2012 R2 is end on October 10, 2023. After this date, these products will no longer receive security updates and non-security updates. If customers want to continue these platforms, they will need to purchase support and use Extended Security Updates (ESUs) for up to three years from Microsoft.
Reference: https://learn.microsoft.com/en-us/lifecycle/announcements/windows-server-2012-r2-end-of-support
If customer get EOS support from Microsoft and would like to patch Windows Server 2012 and 2012 R2, use the latest version of below rollup from CA Patch Management. Please ensure that intelli-rollup v2310.00 rollup and previous extended rollups should be deployed prior to the below rollup.
"CA - Microsoft OS Extended Support Update - IntelliRollup vXXXX.XX"

Thanks & Regards,
Venkata

jcsolis's profile image
jcsolis posted Nov 28, 2023 11:48 AM

Thank you very much for the clarification. It is completely clear now.

Best regards.