The Microsoft Security Update Release Cycle

When the Microsoft Security Response Center (MSRC) decides to address a vulnerability with an update, MSRC begins to develop a security bulletin and other communications to communicate the issue to customers.

Meanwhile, the affected product team works to create and test a software update to address the vulnerability.

Security Bulletins and Other Communications

Security Bulletin Summaries

The MSRC publishes a general summary of security bulletin releases for each of regularly scheduled monthly bulletin release.

The summary includes:

• Number of bulletins that might be released
• Anticipated severity ratings
• Products that might be affected

Security Bulletins

Security bulletins include the following:

• A list of frequently asked questions
• Information about workarounds and mitigations
• Any other information that IT staff needs to address the vulnerability.

Advance Notification

To help customers plan for the monthly security bulletin release, Microsoft provides bulletin subscribers with advance information about security updates prior to their release through the Advance Notification Program. Where possible Microsoft will normally make this notice available three business days before a security bulletin is released.

Security Advisories

Microsoft also communicates security information to customers through Microsoft Security Advisories. Microsoft uses these advisories to communicate about issues that might not be classified as vulnerabilities and might not require security bulletins, but that might still have an effect on customers' overall security.

Tools for Enterprise customers

Microsoft also offers Enterprise customers a variety of tools and resources to assist in the detection and deployment of security updates, including Security Update Management, Security Update Detection, and Security Assessment. For more information, see Security Tools.

Release Day: Second Tuesday

MSRC releases new security updates and their accompanying bulletins on the second Tuesday of every month at approximately 10 A.M. Pacific Time.

MSRC makes updates available for download through the following sites:

• Windows Update
• Microsoft Update
• Automatic Updates
• Microsoft Download Center
• Office Update, when needed
• Microsoft Update Catalog.

On release day, MSRC sends update notices to customers and partners and begins press and public relations outreach activities.

Customers who have signed up for the Microsoft Technical Security Notifications, Security Newsletters, and Windows Live Alerts receive e-mail within a few hours. MSRC also immediately notifies customers via Really Simple Syndication (RSS) feeds when it releases security bulletins.

At the same time, MSRC works with the Customer Support and Services (CSS) group to notify the Microsoft worldwide Sales, Marketing, and Services organization.

MSRC also posts information about new updates to security newsgroups and begins to monitor the environment for customer issues that relate to the vulnerabilities.

Immediately following the release of the security updates, MSRC monitors the download and installation of security updates through Windows Update and the Download Center to make sure that no new problems are introduced. The CSS group also tracks customer concerns.

With the CSS Security group and the relevant product teams, the MSRC also provides a monthly Security Bulletin Webcast, which is broadcast at 11 A.M. Pacific Time on the morning after the monthly release. The webcast provides customers with prescriptive security guidance and the opportunity to ask Microsoft subject matter experts about the security bulletins and about how to deploy the new updates.