4 Replies Latest reply on Oct 16, 2012 8:27 PM by Lazar NameToUpdate

    Shavlik and Microsoft patch revisions

    Jim Campbell

      Microsoft released a few patch revisions (MS12-054 as an example) and Shavlik appropriately adjusted the URL of the patch executable to the new (v2 versions) of these patches.  However, from a ticket I filed with BMC support last night it appears that Microsoft did not publish new criteria for patch applicability and Shavlik is still using the old criteria from August.  As a result, none of our servers are "missing" the patch since we pushed the v1 version of it in August but the v2 version fixes an issue.


      Has this happened before, and if so was there an eventual fix?  For this month I am simply blindly pushing a blpackage using autoremediation with the v2 version of the patches but we are not going to be able to use patch analysis to determine where it is/is not installed.

        • 1. Re: Shavlik and Microsoft patch revisions
          Lazar NameToUpdate

          Jim, per Shavlik XML release, this was the update to the patch:


          - Modified MS12-054(Q2705219): Microsoft revised this bulletin to rerelease the KB2705219 update for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 to address an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes.


          So the actual hotfix contents were not modified, so the detection logic should be the same, and if you have already applied the "v1" patch, then you do not need to apply the v2 patch. Due to the improper certificate timestamps, Shavlik probably received some complains that this patch cannot be installed, so Shavlik have fixed the certificate part, but not the contents. You do not need to apply v2 to your servers, if the patch is not reported missing.


          I don't recall seeing something like this from Shavlik, but there's always a first time. Hopefully this answers your question.



          On the other hand, if the file contents were modified, then Shavlik does need to update their detection logic after validating it with MS. We will check with Shavlik on this. I'll update the post once we have more info.

          • 2. Re: Shavlik and Microsoft patch revisions
            Jim Campbell

            How does the certificate get updated if we don't apply anything new?  There is a separate executable with 'v2' in the name that Microsoft is now distributing so our assumption is that this qualifies as a new patch.  The Microsoft Security Baseline Analyzer does report the v2 version of the patch missing on servers where we installed the v1 version.

            • 3. Re: Shavlik and Microsoft patch revisions
              Lazar NameToUpdate

              Yes, we're contacting Shavlik about this so that if the patch does need to be applied on top of v1, then Shavlik will modify the detection logic.

              • 4. Re: Shavlik and Microsoft patch revisions
                Lazar NameToUpdate

                Jim most likely knows already due to vip privileges of having filed the ticket : ) but to bring the rest of community up to date, VMware/Shavlik are working on modifying detection logic for this patch, so that it can be reported missing and deployed where applicable; right now it's just a matter of time.


                If you wish to sign up for Shavlik XML release notification email (if you're in windows patching, then it's recommended), you may do it here:


                1 of 1 people found this helpful