What to Expect on Patch Tuesday

Apr 06, 2021

Microsoft releases security updates on Patch Tuesday every month. In order to manage these releases more efficiently, organizations and IT experts must know what to expect on Patch Tuesday.

Since 2003, Patch Tuesday has been a tradition for IT experts. That is when Microsoft established a schedule for its security updates, which allows network administrators to build compatibility testing and deployment plans into their monthly schedules.

The idea was to ensure administrators no longer have to scramble to deal with updates released on an irregular schedule. Initially, there was some uncertainty about the idea. However, over the past years, it has become widely acceptable and other companies such as Adobe have adopted the same schedule.

1. When is Patch Tuesday?

There are two important Tuesdays on Microsoft’s update schedule. The second Tuesday of each month is the one known as Patch Tuesday. That’s when Microsoft releases security-related updates for Windows, Office and other related products. The fourth Tuesday of each month is reserved for updates that are not related to security.

In rare cases, Microsoft will issue what’s known as an ‘out-of-band’ update for a security issue, publishing an update on a day other than the normal Tuesday update period. Normally, this happens only when a security issue is very serious and is being actively exploited.

2. How Do I Know What is Being Released?

Every security update issued by Microsoft is accompanied by a report that is published by the Microsoft Security Response Center (MSRC) at the same time the updates are released.

The Security Advisories and Bulletins page is the main index for such documents. It comprises the following:

  • Security Bulletin Summaries: This index consists of one document per month, organized chronologically, with the most recent documents at the top. Each summary has a full list of bulletins issued that month with a title and executive summary for each one. The summary also includes an Exploitability Index for each bulletin, listing the risk on a 1-4 scale, with 1 meaning "Exploitation More Likely" and 4 meaning "Not Affected." At the end of the index is an Affected Software section that lists bulletins in order of major software categories and severity. For instance, if you are concerned about which new security bulletins apply to your servers running Windows Server 2008 R2, you can check to get an accurate answer.
  • Security Bulletins: This list is structured in reverse chronological order, with a separate entry for every bulletin. The naming convention uses the format MSYY-NNN. For instance, MS15-042 would be the 42nd bulletin issued in 2015. Each bulletin includes an Executive Summary, an Affected Software list, and details about the security vulnerability that the update resolves.
  • Security Advisories: The documents listed on this page represent communications about known security issues that are not necessarily accompanied by updates. Advisories occasionally include explanations of known vulnerabilities that have been disclosed by a third party and that Microsoft considers severe. They normally include mitigation and workarounds steps when they are available.

3. Where Do I Find More Details About Individual Bulletins?

The title of every security bulletin and advisory includes a number that matches an article in the Microsoft Knowledge Base. For example, security bulletin MS14-064 was associated with KB article 3011443. The Knowledge Base article normally contains more information about an individual bulletin, which includes known issues, workarounds, details about downloadable files, and details about files installed or replaced as part of an update.

4. What Are CVE Numbers?

The computer security industry has standardized a disclosure format for what it calls Common Vulnerabilities and Exposures (CVEs). Each disclosure is published in the National Vulnerability Database (NVD), which is maintained by the government of the United States.

CVEs use a standard numbering system that’s maintained by The MITRE Corporation. Microsoft is one of many big organizations that use CVE identifiers to enable security researchers to discuss issues. If you see a CVE number in a security bulletin, you can look it up in the NVD and use your favorite search engine for more information.

5. How Can I Know the Most Important Security Updates?

Every security bulletin is accompanied by a rating that represents the worst theoretical outcome if the vulnerability addressed on that bulletin were to be exploited. There are four severity ratings, listed here from most to least severe:

1. Critical: This type of vulnerability, if exploited, may lead to code execution with no interaction on the part of the user. These updates should typically be applied without delay.

2. Important: This severity rating applies to vulnerabilities that can be exploited to compromise the integrity or confidentiality of user data or to cause a denial of service attack.

3. Moderate: Normally, this rating is applied to vulnerabilities that are mitigated by default configurations, authentication requirements, and much more.

4. Low: This type of vulnerability typically requires either an unusual configuration or extensive interaction.

Can I Get Advance Notice of Upcoming Bulletins?

Microsoft used to publish advance notifications of security bulletins, but this practice was stopped in 2014. For now, the whole IT world gets to wait until the second Tuesday of each month for the latest round of updates for Windows and other Microsoft products.

It’s essential to get more information concerning what Patch Tuesday is, what to expect, and how to get updated on the latest security patches. An organization should keep its IT experts informed about security patches, security updates, and vulnerabilities remediation to avert any cyber attacks on the data of the organization.

Do you want to learn more about what to expect on Patch Tuesday for your organization? Do you need help with Patch Tuesday update? If yes, Vicarius is your go-to cybersecurity company.

Topia is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. If you would like to implement a patch management tool, we are here for you.


Photo by Dušan veverkolog on Unsplash


  • #vicarius_blog


Written by

Kent Weigle

Recent Posts

  • 1

    CISAnalysis - September 30, 2022

    Evan Kling September 30, 2022
  • 2

    Not So Fast: Analyzing the FastCompany Hack

    John Kilhefner September 29, 2022
  • 3

    How to test application with ZAP - Part Two

    Jenny R September 28, 2022
  • 4

    How to test application with ZAP - Part One

    Jenny R September 28, 2022
  • 5

    The World's Worst Hackers Have Flags

    Paul Lighter September 27, 2022

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial