Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

MS12-043 KB2687324 Not Installing

Created: 31 Aug 2012 | 11 comments

For Patch Management Solution 7.1 SP2, the Windows updates from MS12-043 installed but the Office 2003 one (KB2687324) didn't according to my Patch Remediation Center.  Actually, not even sure if the Altiris Agent even tried to install this Office update where the client GUI doesn't show it on the Software Updates tab as even a pending task.  MS12-043 doesn't appear to be a superceded bulletin although not sure if updates within a bulletin can be phased out for whatever reason.

Note that KB2687324 isn't being installed on ANY of my test system targets which includes a WinXP Pro, Win7 Pro and Win7 Pro x64; all VMs with the Office 2003 Pro suite.  Also, I didn't find it listed as an installed update on the clients themselves as well as via SMC's Resource Manager.  Unless others are seeing this behavior too, I'd appreciate any tips on how I can troubleshoot this issue further.  Thanks in advance!

Comments 11 CommentsJump to latest comment

Clint's picture

Wanted to add that I see KB2687324 listed in MS12-043's resource manager although I don't see it under the Advanced tab in my policy.  My console shows 21 (of 21) updates downloaded for this bulletin.  This bulletin is actually one of several in my policy.  Is it possible update KB2687324 somehow didn't make it into my policy or is there another explanation?

Clint

Roman Vassiljev's picture

Hi Clint,

According to Microsoft page update KB2687324 has been added to MS12-043 after this bulletin was published:
http://technet.microsoft.com/en-us/security/Bulletin/MS12-043
"V2.0 (August 14, 2012): Bulletin rereleased to offer the security updates for Microsoft XML Core Services 5.0 that were unavailable at the time of initial release. Customers running Microsoft XML Core Services 5.0 should apply the KB2687324, KB2596856, or KB2596679 update to be protected from the vulnerability described in this bulletin. Customers who have already successfully installed the updates originally offered on July 10, 2012 for Microsoft XML Core Services 3.0, Microsoft XML Core Services 4.0, and Microsoft XML Core Services 6.0 do not need to take any action. See the Update FAQ for details."

Most probably you have created policy containing MS12-043 before release of V2.0 (August 14, 2012) and checkbox 'Automatically revise Software Update policies after importing patch data' is not checked in your PM Import settings.

To make update KB2687324 available for distributing you have the following options:

1. Navigate to Import Patch Data for Windows page and enabled checkboxes 'Automatically revise Software Update policies after importing patch data' and 'Enable distribution of newly added Software Updates'. With these settings all newly added updates will be automatically staged and enabled in existing policies during next PM Import task.
2. Create new policy with MS12-043 bulletin. New policy will be created with all updates included to  MS12-043.

Hope this helps,
Roman

 

Clint's picture

Hi Roman,

I previously did check off the "Automatically revise..." and "Enable distribution..." boxes although you're saying I also need to recreate the MS12-043 policy to include the new updates?  Do you know why the SMC can't inject the new updates into the existing policy which is what I was expecting to happen but didn't?  Thanks!

Clint

Clint

Dmitri Sarin's picture

Hi Clint,

You don't need to recreate the MS12-043 policy if you had initially "Automatically revise Software Update policies after importing patch data" & "Enable distribution of newly added software updates" checkboxes ticked on during the PMImport.

If these checkboxes are enabled, the PMimport will update existing software update policies with the latest
Windows patch management metadata automatically. Also PMImport will enable the distribution of the software updates that were added to existing software bulletins by the software vendor.

In case you did not have them ticked on (as far as I understand this is exactly your case), you will need to recreate the policy manually or another way is to enable above mentioned checkboxes and run PMImport again.

 

Thanks,

Dmitri

Clint's picture

Hi Dmitri,

I'm running all the latest SMP 7.1 SP2 CMS 1 components along with the v4 pointfix rollup.  Should I open up a support case because those checkboxes you mentioned never stay enabled in my SMC, or is this normal behavior?  The "Disable all superceded Software Updates" checkbox also doesn't retain its setting.

FYI: My PMImports have been successfully running each day where on numerous occasions I've checked off all 3 boxes, clicked "Save changes" and they appear to remain enabled until PMImport runs again after which I find them all unchecked the next day.

Clint

Clint

Dmitri Sarin's picture

Hi Clint,

Both checkboxes are off by default.

 

Thanks,

Dmitri

Roman Vassiljev's picture

Hi Clint,

This issue may happen in case if these checkboxes are modified when PM import task is running (modified settings are restored to previous state as soon as PM import task is finished.). Actually changes of PM Import settings are not saved during running PM Import task because changing settings of running task can cause incorrect results.

Please check that PM Import task is not running when you save changes for mentioned checkboxes.

Best regards,
Roman

Clint's picture

My daily PMImport runs at 2 a.m. and successfully finishes about 3 minutes later so I'm never in the situation where I'm changing these checkboxes while the import is running.  Also, I was told the import would take longer with those boxes enabled although timeframes have been fairly consistent.

My Symantec tech support analyst is currently looking at my a.logs but I'd still like to know if anyone else is seeing this same issue on their server.

Clint

Clint's picture

Status for my scheduled PM import task is in a "Pending" state which sounds normal according to what my Symantec support analyst sees in his SMC but his environment properly maintains his checkboxes after an import runs.  He had me stop the pending import, check off all 3 boxes, save changes, then manually started an import which took 19 minutes instead of the normal 3.  Noticed that my policy which had MS12-043 (among others) now included the Office update which was previously missing so the enabled checkboxes appear to be working as expected.

I have since rescheduled my import task back to what it was set to where the support analyst asked me to try and uncheck all 3 boxes to see whether it remains disabled past my next scheduled import tomorrow morning or if they revert back to an enabled state (perhaps testing if there was a glitch on my server?).  Another import did run this morning as scheduled where it took about 6 minutes instead of 3 or 19 so I guess that's good.

However, even after my policy was updated to include that Office KB update, I have yet to see a different "Revised" date in my Software Bulletin reports for MS12-043 or any other bulletin.  Am I the only one seeing this problem as well?  Perhaps I have to open yet another case for this issue.

Clint

Dmitri_Gornev's picture

Hi Clint,

> I have yet to see a different "Revised" date in my Software Bulletin reports for MS12-043 or any other bulletin.  Am I the only one seeing this problem as well?

yes, this is known problem (date in Revised column is always equal to one in Released column - regardless whether bulletin was revised or not).

Clint's picture

Well, at least the bulletins are actually being revised even though the dates in the reports indicate otherwise.  So any idea when Symantec will release a fix for this issue?

Clint