Microsoft has released an update for Windows Server Update Services (WSUS) 3.0 Service Pack 2 (SP2). This article includes information about the contents of the update and how to obtain the update.
Issues that are fixed
This update lets servers that are running Windows Server Update Services (WSUS) 3.0 SP2 provide updates to computers that are running Windows 8 or Windows Server 2012.
This update fixes the following issues:
Installation of update 2720211 may fail if Service Pack 2 was previously uninstalled and then reinstalled.
After you install update 2720211, health monitoring may fail if the WSUS server is configured to use SSL.
Additionally, this update includes the following fixes:
2530678 System Center Update Publisher does not publish customized updates to a computer if WSUS 3.0 SP2 and the .NET Framework 4 are installed
2530709 "Metadata only" updates cannot be expired or revised in WSUS 3.0 SP2
2720211 An update for Windows Server Update Services 3.0 Service Pack 2 is available
Update 2720211 is included in this update and strengthens the WSUS communication channels.
The Windows Update Agent (WUA) on computers that are managed by this WSUS server will be automatically upgraded as needed after you apply this update.
WSUS must be in a known, good working state for this update to work. If WSUS is configured to synchronize updates from Microsoft Update, make sure that WSUS can synchronize updates. And, clients must be able to communicate with the WSUS server.
For more information about how to perform basic health checks on a WSUS server, go to the following Microsoft TechNet websites:
We recommend that you synchronize all WSUS servers after you apply this update. If you have a hierarchy of WSUS servers, apply this update, and then synchronize your servers from the top of the hierarchy on down. To synchronize your servers in this manner, follow these steps:
Note Before computers that are running Windows 8 or Windows Server 2012 can be updated by WSUS 3.2 servers, you must complete these steps.
Start the process with WSUS 3.0 SP2 that synchronizes with Microsoft Update.
Apply this update.
Start a synchronization.
Wait for the synchronization to succeed.
Repeat steps 2 through 4 for each WSUS 3.0 SP2 server that synchronizes to the server that you just updated.
Known issues with this update
If you use the Local Publishing feature from a remote WSUS console, when your WSUS Server is updated with this update, the remote WSUS consoles must also be updated to make sure the API versions match.
If you have locally published updates, you will have to re-sign and republish all local updates after you apply this update. Be aware that a minimum of a SHA1, 1024 key-length certificate is required. For more information about how to do local publishing of updates, go to the following Microsoft Developer Network (MSDN) website:
If you have Windows 8 or Windows Server 2012 clients that synchronized with WSUS 3SP2 before you applied this update, wait for the update to be applied to the WSUS servers, and then follow these steps:
On the affected client, open cmd.exe in elevated mode
Type the following commands. Make sure that you press Enter after you type each command:
Net stop wuauserv
rd /s %windir%\softwaredistribution\
Net start wuauserv
Consider the following scenario:
You connect to Windows Update through a network proxy that uses HTTPS or SSL content inspection.
An intermediate server is between the SSL traffic of the client and Microsoft Update.
In this scenario, you have to create exception rules in the HTTPS inspection server so that the Windows Update traffic is tunneled without inspection. For more information about how to create HTTPS inspection exceptions for Microsoft Forefront Threat Management Gateway (TMG), go to the following Microsoft website:
For a list of URLs and domains to exclude, click the following article number to view the article in the Microsoft Knowledge Base:
885819 You experience problems when you access the Windows Update Version 6 website through a server that is running ISA Server
If you install the executable file (.exe) manually, you will have to restart the computer to apply the update.
Remote Microsoft SQL Server administrators must download and install the update by using an account that has SQL Server Administrator permissions. SQL Server installation will always require manual installation.
To apply this update, you must be running Windows Internal Database or SQL Server.
The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. For more information about how to upgrade NLB, see the "How to upgrade NLB on all computers" section.
How to upgrade NLB on all computers
Shut down the NLB service on each node in the NLB cluster. To do this, at a command prompt, type the following command, and then press Enter:
Shut down IIS and the WSUS service. To do this, at a command prompt, type the following commands. Make sure that you press Enter after you type each command.
net stop wsusservice
Make sure that no other services can access the database during the upgrade window. To do this, at a command prompt, type nlb.exe disable together with the appropriate additional parameters for the port or application: