*New Update Alert* The following 3421 new updates have been synchronized to SERVER

*New Update Alert* The following 3421 new updates have been synchronized to SERVER since Sunday, November 04, 2012 6:00 AM (GMT).

If you just got something like that on your WSUS, it's normal and to be expected:

From http://marc.info/?l=patchmanagement&m=135187190204114&w=2

"I want to alleviate confusion I may have caused and distinguish between two issues to \
help experts and admins understand the potential impact of two changes you may be \
seeing in your environments.

The first issue regards digital certificates (as described in KB2749655); the second \
is related to improvements in the Microsoft Update service used by WSUS Server, SCCM \
and Intune (as described in KB 2718704).

ISSUE  1 - DIGITAL CERTIFICATES
The digital certificates issue is described in the MSRC advisory \
http://technet.microsoft.com/en-us/security/advisory/2749655 and the associated KB \
article
http://support.microsoft.com/kb/2749655

These updates released on October 9 (2nd Tuesday in October) and resulted in between \
50 and 250 updates being changed depending on how many of these were in your servers. \
Some of these were revisions (metadata only changes).  Some were re-releases (due to \
the code-signing elements being integrated into Windows CBS-based binaries).  While \
the payload changed for some of these updates, none of them had functional or \
targeting changes beyond the signing corrections.  Any additional updates for this \
same issue will likely be released on future 2nd Tuesdays and will appear as a \
similar set of 50 - 250 updates that are either revised, re-released or both.

While I can't discuss future releases, you should expect a few more of these in the \
coming month or so.  The impact on WSUS, SCCM servers should be the same as they were \
on October 9.  Intune is not affected since it maintains the datastore in the cloud, \
not in a local database like WSUS and SCCM servers.

ISSUE 2 - ADDITIONAL IMPROVEMENTS
As part of a strategy to improve the security of Windows/Microsoft Update, many \
updates were revised in other ways as mentioned in the MSRC blog \
http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to, in the MSRC advisory \
-phased-mitigation-strategy.aspxhttp://technet.microsoft.com/en-us/security/advisory/2718704 and in the associated KB \
article
http://support.microsoft.com/kb/2718704.

The WSUS team posted this related post Wednesday October 31: \
http://blogs.technet.com/b/sus/archive/2012/10/31/support-tip-many-new-revisions-of-up

Within the MU service, a very large number of updates were improved in additional \
ways to secure and harden the service (I'm not able to provide more details).

The large number of improved updates became visible to WSUS servers on a rolling, \
one-time basis beginning the first week of October.  This means that one WSUS admin \
may have received the improved revisions all at once one day after a sync, while \
another WSUS server may have received the same large batch of updates 1, 2, 5, 7 or \
even 14 days later than the earlier admin.  And once these improvements come down to \
your WSUS/SCCM server, you will not incur another experience like this again.  This \
is a one-time sync of the large number of updates we've already made in our service - \
separate and different from those described in ISSUE 1 above.

Depending on how many of these improved updates were present in your WSUS server, you \
may have observed anywhere from 1000 or more revisions.  As a result, your managed \
clients may have briefly indicated they weren't compliant (due to the new revisions). \
But after the clients obtained the revision and rescanned, they would report back \
that they were again compliant.

For SCCM admins, the latter issue will incur a one-time cost to re-download any \
active deployments to both sync and redistribute these to ConfigMgr distribution \
points.  While there's a wizard that helps, the effort increases with the number of \
active deployments that were changed.

TECHNICAL IMPACT
In both cases - whether for digital certificates or the additional improvements - \
neither the targeting (metadata) nor payloads were changed in any functional way.

The impact to WSUS servers is more likely worrying than troublesome.  SCCM admins had \
a much greater impact that required manual effort to ensure all clients and their \
active deployments returned to a compliant state.

While both changes we made were to improve the service for enterprises and consumers, \
the impact wasn't sufficiently understood beforehand and communicated proactively.  I \
hope this explanation helps describe the situation and helps you plan for and \
accommodate these changes.  We strive to provide a powerful service you can trust \
without interruption.  And we're already making improvements based on your feedback.

For reporting issues with SCCM or WSUS Server, please take the time to review and \
post on the forums below where we watch for issues affecting our customers:

dates-may-be-downloaded-by-the-wsus-server.aspxhttp://social.technet.microsoft.com/Forums/en-US/category/configurationmanager and
http://social.technet.microsoft.com/Forums/en-US/winserverwsus/threads

doug neal
Microsoft Update (MU)"

About the Author

Susan is just a wacko SBSer who started down her path by hanging out in the SBS newsgroup community. She's not a Microsoft employee or affiliated with Microsoft. Get a feel of the SBS “vibe” and join in the SBS community!