Microsoft this week retired the security bulletins that for decades have described each month’s slate of vulnerabilities and accompanying patches for customers—especially administrators responsible for companies’ IT operations.
One patch expert reported on the change for his team. “It was like trying to relearn how to walk, run and ride a bike, all at the same time,” said Chris Goettl, product manager with patch management vendor Ivanti.
The move to a bulletin-less Patch Tuesday brought an end to months of Microsoft talk about killing the bulletins that included an aborted attempt to toss them.
Microsoft announced the demise of bulletins in November, saying then that the last would be posted with January’s Patch Tuesday, and that the new process would debut Feb. 14. A searchable database of support documents would replace the bulletins. Accessed through the , the database’s content can be sorted and filtered by the affected software, the patch’s release date, its CVE (Common Vulnerabilities and Exposures) identifier, and the numerical label of the KB, or “knowledge base” support document.
SUG’s forerunners were the web-based bulletins that have been part of Microsoft’s patch disclosure policies since at least 1998. Microsoft did such a good job turning out those bulletins that they were considered the aspirational benchmark for all software vendors.
In February just hours before the security updates were to reach customers, making the bulletins’ planned demise moot. Microsoft kept the bulletins the following month as well, saying it wanted to give users more time to prepare for the change to SUG.
Finally, when Microsoft yesterday shipped cumulative security updates for Windows, Internet Explorer, Office and other products, it omitted the usual bulletins.