For IT & Telecom Solutions Call (310) 955-1600
  • Contact Us

Superseded Patches & Vulnerability Scanner False Positives

Much like patching up a hole in your favorite pair of jeans, even your computer systems and software occasionally need assistance to cover up a flaw or bugged access point.

As such, vendors and software developers alike are constantly coming up with newer and more comprehensive patches to protect users and companies, as well as their data.

And to do so, the laddering effect of these updated patches leaves the older codes behind in the realism of superseded patches. But what is important to note about superseded patches and the possibility of missing plugins? Let’s delve further into that discussion.

What Are Superseded Patches?

Simply put, these types of software protection deployments are old patches that have been replaced by a new or superseding patch, commonly because the previous code became outdated or developed subsequent flaws. As such, the old patch that has been replaced is known as a “superseded patch”, as a new one has taken its place.

Vendors and developers need to constantly create new patches to counteract flaws or bugs that pop up in their software and operating systems, not only to safeguard users and their information, but also to prevent cyberattacks and hackers from accessing critical data.

As such, routine vulnerability scanning and customer reports are essential to the development and release of new patches that supersede former patches.

Often, these patches are part of a long chain of more and more recent ones, all of which supersedes the previous one. Each one has a specific and sequential CVE reference number that has provisions for a specific vulnerability as noted by the Common Vulnerabilities and Exposures Numbering Authority.

This is also a handy way to understand which patch is the most recent, when searching for the latest security download, as the most up-to-date release will typically have a higher number than its superseded counterparts.

Why Should You Know About Superseded Patches?

But why do you need to know about superseded patches? Well, understanding the way superseded patches work and how to identify them is essential to protecting your computer system and important data from cyberattacks and other tech malware.

Not only should you be constantly applying the newest and most comprehensive patches to your system and software, but knowing the difference between older patches and the ones that supersede them is important.

Instead of wasting time and your computer system’s processing power to download and apply a superseded patch that has already been updated and thus rendered virtually obsolete, you can focus on only scanning for the latest versions and installing these new patches alone.

Plus, when it comes to large-scale code fixes such as Microsoft superseded patches, you will often find that a particular patch might not install if a newer one has already been released, something that can become problematic for your patch schedule and security protocols.

Also known as missing patches, these could report false positives for new plugins and patch downloads, your update process might result in skipped steps and problematic vulnerability scanning which can negatively impact your cloud security solution or cloud direct connect.

Patch Supersedence: How It Works

So, how does patch supersedence even work? Well, the point of having a new version that supersedes older patches is to convey better efficiency of the update file, support the newest versions of applications or operating systems, or fix a vulnerability from a previous update.

To make this work, there are four key aspects to consider in this context— the operating system, architecture, service pack, and service release of your computer infrastructure.

Thankfully, most Microsoft patches are handled through the Windows Server Update Services (WSUS), so you don’t have to do a lot of the mental gymnastics involved with distinguishing the updated files from superseded patches.

But you do need to pay attention to the supersedence status of patches that run through the WSUS console and your Microsoft vulnerability scanner, as not all automated suspended updates are declined by the program.

Scanning reports of your supersedence patch relationships is important to prevent an older code from being employed and causing vulnerability scanning to either skip an update or become bogged down by a missing patch in the supersedence sequencing.

There are some situations where installing an older patch is the recommended course of action, such as if your incumbent or client systems run on an older operating system not supported by the newer updates, but this is a more niche occurrence.

How Can You Tell If A Microsoft Patch Is Superseded?

To prevent yourself from downloading an obsolete patch that could cause some havoc on your system’s further automated updates, determining whether or not you are dealing with Microsoft superseded patches is key.

The best way to assess the validity of a patch is by checking the cumulative body of other patches in the same chain. Try the following methods to figure out if the code is on Microsoft superseded patches list:

  1. Visit the Microsoft Technical Documentation portal, and input the CVE number or MS update code of the patch in question. It should show the latest update in the chain that you can match up with your installation.
  2. On your Windows desktop, navigate to Dashboard → Patches → Installed Security Updates. This will bring up a list of your latest update downloads, and you can toggle to the Details panel of the patch in question. Follow the Support URL and check for update information on the site.

What Impact Does Patch Supersedence Have On Deploying Patches On Devices?

Installing the wrong patch on a new operating system can significantly decrease its ability to run. Not only does it waste time and resources to download a superseded patch on an updated system, but deploying too many patches to your system can sometimes harm its processes.

While older vulnerabilities can sometimes be addressed with a superseded patch, it’s generally recommended to keep your security updates and patch codes as recent as possible for the best possible protection of users and data alike!


Superseded patches might not be able to protect your computer systems as well as the newest codes, but they are still essential to understand to make sure you are choosing the right patches for your infrastructure’s safety.

Not only can you have a better grasp of the entire security update process, but your understanding of supersedence in patches will help you keep your software up-to-date and your data safe.

Ben Ferguson

Ben Ferguson

Ben Ferguson is the Vice President and Senior Network Architect for Shamrock Consulting Group, an industry leader in digital transformation solutions. Since his departure from Biochemical research in 2004, Ben has built core competencies around cloud direct connects and cloud cost reduction, enterprise wide area network architecture, high density data center deployments, cybersecurity and Voice over IP telephony. Ben has designed hundreds of complex networks for some of the largest companies in the world and he’s helped Shamrock become a top partner of the 3 largest public cloud platforms for AWS, Azure and GCP consulting. When he takes the occasional break from designing networks, he enjoys surfing, golf, working out, trying new restaurants and spending time with his wife, Linsey, his son, Weston and his dog, Hamilton.

Learn About Our Best Price Guarantee