Microsoft is to release three bulletins on its next Patch Tuesday to cover issues in Windows and Office.

The three bulletins will cover four vulnerabilities, with one bulletin rated as critical and expected to fix a remote code execution issue in Windows. Also patched are ‘important' fixes in Windows.

Amol Sarwate, manager of the vulnerability research lab at Qualys, said: “This is a small update as compared to February in which there were a dozen updates. The critical update affects Windows XP, Vista and Windows 7, while Windows Server 2003 and Server 2008 are not affected.

“One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue, which was left unpatched in last month's patch cycle (2501696).

“The other important update patches the little known Office Groove 2007 software. Overall we expect this month's Patch Tuesday to be easy for deployment for organisations and individuals.”

Alan Bentley, SVP international at Lumension, said: “Microsoft might be light on patches this month, but the short bulletin does not mean respite for businesses. But despite the clean up, there's nothing to suggest we're going to see a patch to address the recently exposed Internet Explorer zero-day vulnerability.

“Although it might be a quieter month for Microsoft, Apple on the other hand has been busy, having released a patch to address over 50 flaws with iTunes. This vulnerability impacts Apple's own products, as well as Windows products.”

The Big Suprise:

In February, Microsoft began delivering both security updates and non-security product updates for SharePoint through Windows Update. This caught a lot of customers by surprise and not in a good way. Delivering non-security updates to critical SharePoint components has the potential to break things if untested. And, considering how bad each patching month has been in the last couple years, customers would rather retrieve the non-security updates themselves and test and install in a controlled manner.

One commenter said this:

…this is a pretty silly move. It ensures that administrators will be even less likely to keep their servers patched against common windows vulnerabilities, while ensuring that those who do are more likely to break their SharePoint farms.

Factor in the dismal track record of these CUs, and the future gets pretty dark.

It seems unlikely to me that testing Windows Updates includes testing SharePoint Cumulative Updates. Everything about how SharePoint works (complexity, multiple tiers, variations in configuration, custom code) screams that auto updating is a terrible idea.

Seems you have a fairly rosy view of how patch management works in most companies. This is unfortunate.

Whether the company listened to the complaints or just found it functionality difficult, Microsoft's Stefan Goßner today has announced that Microsoft is altering the plan once again:

We want to let everyone know of a change to the patch delivery strategy for Office server products. As of March 2015, all Office product updates will be offered via Microsoft Update except for non-security updates for server products. Individual and “uber” server product updates will be published only to the Microsoft Download Center and customers can download/schedule/plan/test accordingly.

Please note that this does not affect security fixes for server products as they will continue to be available via Microsoft Update.