Unexpected updates to developer tools caused by security updates – what do to about it?

The past week’s activity in security updates have generated a lot of new blog entries on this page. But does it have to be that way?

Martin Richter has written up a very good summary of why developers need the ability to freeze their environments (or at least be properly warned!!) when tools updates are released as important security updates. The main reason is because they need to target particular runtimes, and if they have to release hotfixes their manifests must match what is already out there. Another reason is that they simply cannot keep track of all the updates, and having your tools changed out from under you out of the blue can have major repercussions, especially if there are new bugs in those tools. It can cause massive numbers of hours of lost productivity in reconfiguring a whole organization’s developer machines.

I suggest you sign up for connect.microsoft.com (Visual Studio and .NET Framework) and read this (don’t forget to vote on it while you’re there):

Feature request: Always ask the developer before applying a security fix or service pack to Visual Studio that need changed the C++ runtime DLLs ATL/MFC/CRT

I definitely support having some better communication about the issues as well at the time they are released, like when KB971090 was released there was a video on channel 9 – see http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update for the type of info that should be communicated.

Advertisements

About tedwvc
On this blog you'll find some tips and tricks for dealing with Visual C++ issues.

2 Responses to Unexpected updates to developer tools caused by security updates – what do to about it?

  1. Harun says:

    Looks like the next unexpected update (June 14) has fixed the problems introduced with the last one (April 12).
    As far as I can tell, there are fixes for the 3 FindActCtxSectionString bugs you listed, as well as the MFC static code bloat – including the unneeded dependency on GDI+. What are other people seeing?
    Thanks for the workarounds in the meantime, Ted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: