Remove unnecessary installation of some KBs

[lbussell]

Several of the KB installations we do today are unnecessary.

We do not need to install updates in the following cases:

• .NET Framework 3.5 - These updates are always included in the base image.
• .NET Framework versions that are the default version on a given OS.

This will require #873 be implemented so that we can be confident that our images are fully patched.

Examples

.NET Framework 3.5 on Server 2019 (2025-1B)

2025-1B was a security update, so all .NET versions were updated.

KB5050008 was the 2025-1B update for Server 2019. The updates we care about are:

• KB5049608 - .NET Fx 3.5 and 4.7.2
• KB5049615 - .NET Fx 3.5 and 4.8

$image="mcr.microsoft.com/windows/servercore:1809-KB5050008"
docker run --rm $image powershell -Command "Get-HotFix | Format-Table -AutoSize"

Source       Description     HotFixID  InstalledBy InstalledOn
------       -----------     --------  ----------- -----------
EAC2D736881B Update          KB5049608             1/9/2025 12:00:00 AM
EAC2D736881B Security Update KB5050008             1/9/2025 12:00:00 AM
EAC2D736881B Security Update KB5050110             1/9/2025 12:00:00 AM

It already contains KB5049608. So even though our image installed it, it didn't do anything extra. And the KB was installed before Patch Tuesday, so we can be sure that the image contained it when it was released.

However, it didn't contain KB5049615 by default, so we'd still need to install that for the 4.8 image, as far as I can tell. Maybe installing 4.8 on top of the image would make a difference, I haven't checked yet.

.NET Framework 4.8.1 on Server 2025

KB5050009 is again the 2025-1B update for Server 2025. The KB we care about is KB5049622, the .NET Framework 3.5 and 4.8.1 cumulative update.

$image="mcr.microsoft.com/windows/servercore:ltsc2025-KB5050009-amd64"
docker run --rm $image powershell -Command "Get-HotFix | Format-Table -AutoSize"

Source       Description     HotFixID  InstalledBy InstalledOn
------       -----------     --------  ----------- -----------
36CC4D2E6475 Update          KB5049622             1/13/2025 12:00:00 AM
36CC4D2E6475 Security Update KB5050009             1/13/2025 12:00:00 AM
36CC4D2E6475 Security Update KB5050387             1/13/2025 12:00:00 AM

As we can see it's already installed. So, we don't need to install any patches on Server 2025, unless there is a mid-cycle, non-security update we need to pick up (like KB5050577.

.NET Framework 4.7.2 and Server 2016

KB5049993 is 2025-01B update for WS2016. Other KBs we care about:

• KB5049993 - 3.5-4.7.2 - It's the same KB, since .NET Framework is not serviced separately from the OS for 2016.
• KB5049614 - 4.8

$image="mcr.microsoft.com/windows/servercore:1607-KB5049993-amd64"
Source       Description     HotFixID  InstalledBy InstalledOn
------       -----------     --------  ----------- -----------
8E874F074434 Update          KB4054590             1/9/2025 12:00:00 AM
8E874F074434 Update          KB4132216             1/9/2025 12:00:00 AM
8E874F074434 Security Update KB5050109             1/9/2025 12:00:00 AM
8E874F074434 Security Update KB5049993             1/9/2025 12:00:00 AM

Same story - KB5049993 is installed but KB5049614 is not.

[mthalman]

This is true as long as the servicing of the .NET Fx version is a security update. If it's not a security update, then the KB will not be included in the base Windows image and would need to be installed in our Dockerfile. That is the intent behind the conditional logic using this variable:

dotnet-framework-docker/eng/dockerfile-templates/runtime/Dockerfile

Line 3 in 2a1a5aa

set is48SecurityRelease to (VARIABLES[cat("4.8-is-security-release|", OS_VERSION_NUMBER)] = "true") ^

[lbussell]

This is true as long as the servicing of the .NET Fx version is a security update. If it's not a security update, then the KB will not be included in the base Windows image and would need to be installed in our Dockerfile.

Gotcha. So this is not specific to 4.8, right? And we should extend this conditional logic to all the other versions?

Windows Version	Installed in base image	Installed by us
2016	4.6.2	4.7, 4.7.2, 4.8
2019	4.7.2	4.8
2022	4.8	4.8.1
2025	4.8.1

For example, if there is a non-security update to 4.7.2 in WS2019, then we'd need to install the 4.7.2 KB?

I know this happened with 4.8.1 in Server 2025, with the January 28th (1D) release. The latest server 2025 image still only has KB5049622. That is the 1B release, not the 1D release (and there was no 2B release). So we needed to install KB5050577.

[mthalman]

Gotcha. So this is not specific to 4.8, right? And we should extend this conditional logic to all the other versions?

We should check with the servicing team on that. I think at the time that logic was added, we may have been told that 4.8 was the only version getting non-security updates (I don't have a crisp memory of that, it was years ago).

[lbussell]

[Triage] Any .NET Framework version could potentially have a non-security feature update so we shouldn't completely remove that functionality from the templates. However, the Dockerfiles can still be greatly simplified for most servicing months.

This work should also include clarifying and updating the servicing checklist.

This work can be completed around the same time as our response to #1202, since both fixes will need to update the templates rather significantly.