All other Windows 7 devices, including those run by consumers and small companies, that connect via Windows Update or Windows Update for Business, are handed roll-ups. They do not get a choice.
Overall, the security-only updates issued for Windows 7 have been about one-fifth the size of the roll-up total. Only 6 of the 22 64-bit security-only updates was larger than 40MB, for example, and only 7 of the 32-bit versions broke the 20MB mark.
According to Goettl, the security-only updates have been about the same size they would have been if composed of a similar number of separate patches, like those Microsoft distributed before making the radical move to dump decades of practice in 2017.
But size was not the only reason, or perhaps even the main reason, why security-only updates were a blessing for enterprises. "Security-only provides some flexibility," Goettl said, talking about the ability to postpone an update.
Because the roll-ups are cumulative - in that they include all past patches, as well as the latest - it's not possible to deploy them without installing every fix since at least October 2016.
If a patch breaks something, say a business-critical application or workflow, all roll-ups subsequent to that must be put on hold.
But by adopting the security-only updates, an IT staff can at least roll out, for instance, June's version even if it has had to hold off on May's because of a rogue patch.
That practice is similar to, although on a more macro level, the way individual patches were deployed or blocked, depending on whether they interfered with operations (the latter was what Microsoft banned by moving in 2017 to the all-inclusive approach, where all of a month's patches are poured into one bucket and so are inseparable).
Goettl saw security-only updates as a sop to enterprises, a bone Microsoft threw to its most important customers when it laid down the new laws.
“One thing that softened the blow (of the cumulative update announcement) was that they offered the security-only bundle," Goettl said. "In Windows 10, you don't have that option."
Like a lot of patch experts, Goettl has urged those eligible for security-only to stick with the smaller updates.
"It really seems that a lot of the breakage problems come at the end of the month when the non-security fixes come out," he added, talking of the patches that are included with the following month's roll-up.
"Things break there. This month, for example, there were a lot of non-security fixes [in the roll-up]. That's why we recommend security-only for client PCs, especially [on systems with] sensitive software."
Cutting updates down to size
Not every Windows 7 machine has to pay full price for the increasingly large roll-ups. Some get a discount.
Enterprises that deploy updates through WSUS can apply the optional "express installation files" feature, which limits the bandwidth consumed on the local network, in turn reducing update-related traffic within the perimeter.
That's done by identifying those bytes that change between two versions of the same file, then generating an update containing just those differences (this technique is typically called a "delta" update and is used by most software developers to distribute updates).
However, there's a tradeoff, which Microsoft spells out in this support document: After enabling the feature, the size of the downloads from Microsoft's servers to the local WSUS server(s) increases substantially. According to Microsoft, express installation files may treble the number of bits downloaded to the WSUS server(s).
"When you distribute updates by using this method, it requires an initial investment in bandwidth," Microsoft stated. "Express installation files are larger than the updates they are meant to distribute. This is because the express installation file must contain all the possible variations of each file it is meant to update.
"However, this cost is mitigated by the reduced amount of bandwidth required to update client computers on the corporate network," the document continued.
In an example Microsoft highlighted, a 100MB update resulted in 300MB downloaded to the WSUS server, but the actual amount transmitted over the local network to each client might be as little as 30MB when express installation files is turned on.
With it off, the initial download to the WSUS server would be 100MB, the size of the update, but then that same 100MB would have to be delivered to client PCs across the local network.
Other caveats apply to express installation files in Windows 7, but perhaps the most important is that it is not the same as the also-named-express in Windows 10.
While the express feature has arguably received more attention in Windows 10 - Microsoft has publicised the feature in Windows 10 several times - it's not identical to what's in Windows 7.
For one thing, Windows 10's express can distribute both updates and the twice-annual feature upgrades, which tip the scales at several gigabytes.
More importantly, the differential update technology works with WSUS (as does Windows 7's), and with Windows Update and Windows Update for Business.
(Reporting by Gregg Keizer, Computerworld)