Customers have lambasted Microsoft over its new searchable Security Update Guide, which replaced its familiar Patch Tuesday security bulletin format.
Microsoft in November warned customers it would soon change how it tells them about updates. It flicked the switch with the April 11 updates, only publishing updates to the Security Update Guide (SUG), rather than individual bulletins on the Security Bulletin Website.
The SUG lets admins sort, search, and filter the database by CVE number or KB article to find relevant bulletins and updates.
But early feedback shows that some users aren’t happy with the change. Responding to Microsoft’s invitation to provide suggestions on its support forum, one user says the “new format is horrible”.
“Hate, hate, hate the new security bulletin format. HATE,” wrote a user called Janelle 322. “I now have to manually transcribe this information to my spreadsheet to disseminate to my customers. You have just added eight hours to my workload. Thanks for nothing.”
Another user, Gis A-Bun, lamented the loss of the simpler old format. “In a single page, I have the download links, what OS is affected, what [if any] the update replaces, a brief synopsis of what the issue is, etc. Now it feels more like a pain in the butt. You have to jump all over to find the same information.”
Users commenting on other support forum pages have complained the new system is far more time-consuming to navigate. Computerworld notes that one user has seen his workload go up by six times due to the need to open up a new page for each vulnerability (CVE) in a cumulative update for a product. Previously all that information was in a single bulletin for that product.
Microsoft says it understands user concerns about SUG, but explained it was needed “to align with the move from individual updates to the cumulative update process”.
But some users say this focus on cumulative updates expects customers to place too much trust in Microsoft.
“It seems the desire is to simply say, ‘The updates are in cumulative packages so you have to install everything anyway. Just trust us.’ Unfortunately this does not fly in most organizations,” wrote user Arbor10.
“We need to quickly ascertain where the risks are, are they actively exploited, are there any workarounds, etc. We don’t know the CVE numbers to look up because these are newly presented to us. Saying that ‘Windows is impacted’ is obvious, but we need to know HOW so we can examine and properly TEST these updates.”