[sc:windows-category ]Last month Microsoft released several patches and KB3002885 was included in the list. When my 2012 servers applied the patches, this patched failed.
To compound the issue, when a single patch fails, Windows rolls back all the patches that were applied at the same time.
This meant that every couple of nights, my servers would reboot and try once more to apply the patch, fail and roll back the changes.
I didn’t have time to look at the problem until recently and really just kind of expect Microsoft to release a new version of the patch which would solve the issue, but that hasn’t happened so it was time to do some investigation.
Checking the “Update History” revealed a couple of different error codes (80073AA2 was common), which didn’t really seem to help, so the first step was to track down exactly which update was failing (Windows doesn’t tell you which one failed, it just marks them all as failed).
While a simple task (just select half the updates and see if it fails, if so select half of those and try again) it does take quite a while to go through the 20 updates and find the one that was broken. In the end it as the patch for KB300285 that was failing.
Doing some research didn’t turn anything obvious us, but after searching the net for a while I did find a reference to a similar problem being caused by corruption in registry, specifically the HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT hive.
The general consensus was to simply delete the entire hive, instead I renamed it and then re-applied the patch, which worked.
Windows recreated the hive with much less information in it, doing a quick comparison to the original hive turned up only a single key that was missing. I exported that key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{8c416c79-d49b-4f01-a467-e56d3aa8234c}), deleted the new hive, renamed the old one and re-imported the changes.
On my next server I decided to try and just import the missing key and then apply the patches, but that didn’t work.
I had to rename the hive and apply the patches on each of the servers by hand. While this was tedious, it has resolved the issue.
