Purpose
The purpose of this document is to provide more information about severity and supersedence in Patch Manager.
Explanation of Severity
The patch types in Patch Manager are primarily categorized as Security and Non-Security Updates.
In Patch Manager Security Updates will have the severity rating associated with it in the "Severity" column, this is set to what the Vendor has assigned.
Non-Security Updates do not use the "Severity" column, that value will be marked as NA, if this is a Critical Non-Security Update then you will see "Critical Update" in the column "Category"
Monthly Rollups are set to Non-Security Updates in Patch Manager. This is because they contain both Security and Non-Security updates. That is why you will see NA in Severity as it classified as a Non-Security Update but the Category column is set to "Critical Update"
Explanation of Supersedence
In Patch Manager we do not set any Non-Security Updates to supersede a Security Update. This is done on purpose. There are times the vendor will supersede a Security Update with a Non-Security Update but we do not set that Supersedence.
Additional Information
Description of the standard terminology that is used to describe Microsoft software updates
Description of Update Types
Security update
Definition: A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.
Update
Definition: A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.
Critical update
Definition: A widely released fix for a specific problem that addresses a critical, non-security-related bug.
Security-only update
Definition: An update that collects all the new security updates for a given month and for a given product, addressing security-related vulnerabilities and distributed through Windows Server Update Services (WSUS), System Center Configuration Manager and Microsoft Update Catalog. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. This Security-only update would be displayed under the title Security Only Quality Update when you download or install the update and will be classified as an "Important" update.
Monthly Rollup
Definition: A tested, cumulative set of updates. They include both security and reliability updates that are packaged together and distributed over Windows Update, WSUS, System Center Configuration Manager and Microsoft Update Catalog for easy deployment. The Monthly Rollup is product specific, addresses both new security issues and nonsecurity issues in a single update and will proactively include updates that were released in the past. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. This Monthly Rollup would be displayed under the title Security Monthly Quality Rollup when you download or install. This Monthly Rollup will be classified as an "Important" update on Windows Update and will automatically download and install if your Windows Update settings are configured to automatically download and install Important updates.