TSSA/BSA: How can Microsoft Servicing Stack Updates (SSUs) affect TSSA Window Patch Analysis results?

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    TrueSight Server Automation


    BladeLogic Patch Management


    Windows Server patching in TSSA (Version Neutral)


    Microsoft periodically releases Windows Servicing Stack Updates (e.g. May of 2018 ). The presence or absence of these SSUs on a Target Server can have an affect on the Patch Analysis results observed in TSSA e.g.

    Scenario #1:
    Cumulative Update/Latest Cumulative Update (CU/LCU) Windows Server patches are not reported as missing, unless the previous SSU patches are first installed.

    Scenario #2:
    Both CU/LCU & SSU patches are reported as missing but CU/LCU are not applicable, unless the previous SSU patches are first installed .


    SSUs must be applied first before subsequent patches become applicable and detected as missing.

    If the SSU is not installed, more recent updates are not yet applicable.

    The Knowledge article from Ivanti also describes an example of this behavior :


    That is why two TSSA Patch Analysis jobs are often required to patch the server completely.

    The first Patch Analysis job will only show patches prior to the SSU as missing.

    Once the SSU has been installed the latest patches will be reported as missing by the next Patch Analysis job.

    Regarding the mentioned scenarios:

    • Scenario #1 is expected behavior
    • Scenario #2 should not occur, because if the SSU is required by the CU/LCU & the SSU is not present on the target, the Patch Analysis job should NOT report those CU/CLU as missing but only SSU as missing.   The only possible exception would be that some former CUs have a separate listing with D at the end of the QNumber that would show up (D = Detection-only, so not deployable).    For example, back in February 2019, customers may have seen Q4487026D (the February CU for Server 2016) show up in a scan at the same time as Q4132216 (the SSU required before Q4487026 became applicable). If they just deployed everything that was detected as missing, Q4487026D would not deploy since that listing is information-only.  Once Q4132216 was deployed, their next scan would show Q4487026 (without the D), which would be deployable. (These should no longer be displayed in TSSA 8.9.x.)
    See the following Ivanti article regarding what it means when Patch QNumbers are displayed with a D at the end: 



    Article Number:


    Article Type:


      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles