Microsoft's recent Security Updates for Visual Studio break Windows Installer Updates
This problem was brought up in a question on the InstallSite Forum and is also mentioned in a blog post by Gauravb (who appears to be a Microsoft employee).
The typical symptom is missing or not updated files after you install a Small or Minor Update to your application (Major Upgrades are not affected). In the installer log file you'll notice that some features have been switched to "advertised" state and instead of being installed locally. The actual cause is noted in the SELMGR error message in the log similar to this:
SELMGR: ComponentId '{-GUID-}' is registered to feature '-Feature-Name-', but is not present in the Component table. Removal of components from a feature is not supported!
This happens if your setup includes a merge module like Microsoft_VC80_CRT_x86.msm and you rebuilt your setup package after installingsecurity updates 971090 and 973673 for Visual Studio 2005 SP1 or 971092 and 973675 for Visual Studio 2008 SP1. These security updates install newer versions of merge modules.
Apparently a component that existed in the original version of the merge module has been removed in the updated msm. Removing a component is a violation of Windows Installer's rules for Small and Minor Updates.
Affected Merge Modules and GUIDs
Visual Studio 2005 SP1
I examined to merge modules installed by Visual Studio 2005 SP1 and updated by by security updates 971090 and 973673. I found that all of these merge modules are affected by this problem, i.e. they have components removed:
- Microsoft_VC80_ATL_x86.msm
Removed 2 components with GUIDs {9B2CAF3C-B0AB-11EC-B01F-C8B3B9A1E18E} and {9B2CAF3C-B0AB-11EC-C01F-C8B3B9A1E18E} - Microsoft_VC80_CRT_x86.msm
Removed 2 components with GUIDs {9BFFB8F8-F55F-10B2-C01F-C8B3B9A1E18E} and {9BFFB8F8-F55F-10B2-B01F-C8B3B9A1E18E} - Microsoft_VC80_DebugCRT_x86.msm
Removed 2 components with GUIDs {583FF03B-A196-24C8-C01F-C8B3B9A1E18E} and {583FF03B-A196-24C8-B01F-C8B3B9A1E18E} - Microsoft_VC80_DebugMFC_x86.msm
Removed 2 components with GUIDs {55141F6E-A388-29A8-C01F-C8B3B9A1E18E} and {55141F6E-A388-29A8-B01F-C8B3B9A1E18E} - Microsoft_VC80_DebugOpenMP_x86.msm
Removed 2 components with GUIDs {8E601675-4F66-A4DE-B01F-C8B3B9A1E18E} and {8E601675-4F66-A4DE-C01F-C8B3B9A1E18E} - Microsoft_VC80_MFC_x86.msm
Removed 2 components with GUIDs {9EE2A7ED-8A13-0C17-C01F-C8B3B9A1E18E} and {9EE2A7ED-8A13-0C17-B01F-C8B3B9A1E18E} - Microsoft_VC80_MFCLOC_x86.msm
Removed 2 components with GUIDs {7831D131-CCF1-43EF-C01F-C8B3B9A1E18E} and {7831D131-CCF1-43EF-B01F-C8B3B9A1E18E} - Microsoft_VC80_OpenMP_x86.msm
Removed 2 components with GUIDs {218504D2-AA7D-7B33-B01F-C8B3B9A1E18E} and {218504D2-AA7D-7B33-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_ATL_x86.msm
Removed 1 component with GUID {6967BA9D-3E8C-8E05-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_CRT_x86.msm
Removed 1 component with GUID {671DDE41-A620-9193-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_DebugCRT_x86.msm
Removed 1 component with GUID {5A7EB616-E2EE-6D78-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_DebugMFC_x86.msm
Removed 1 component with GUID {5D61A50B-77A2-68DD-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_DebugOpenMP_x86.msm
Removed 1 component with GUID {8506B23C-BABD-5C8B-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_MFC_x86.msm
Removed 1 component with GUID {6BEC5B24-C056-8A14-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_MFCLOC_x86.msm
Removed 1 component with GUID {D5A7A18A-DEA5-8DD7-C01F-C8B3B9A1E18E} - policy_8_0_Microsoft_VC80_OpenMP_x86.msm
Removed 1 component with GUID {07EE8801-38A9-ABAC-C01F-C8B3B9A1E18E}
Visual Studio 2008 SP1
I also examined to merge modules installed by Visual Studio 2008 SP1 and updated by by security updates 971092 and 973675. I found that all of these merge modules are affected by this problem, i.e. they have components removed:
- Microsoft_VC90_ATL_x86.msm
Removed 4 components with GUIDs {2F605F26-3021-38F6-AC31-175C0DFA59B9}, {76C3F0F6-9B9D-35DA-81C6-CA8A88CC93CA}, {DBD31579-020A-349E-8ED6-D06FEA75AF45}, and {86226397-23DB-3430-8C8A-AEA661B1AE77} - Microsoft_VC90_CRT_x86.msm
Removed 4 components with GUIDs {AEC90EFE-39B8-3978-8A5D-068FEF83D275}, {B708EB72-AA82-3EB7-8BB0-D845BA35C93D}, {1A5C156B-3CC3-36E3-BAD7-9FD0D48156D3}, and {68D7E2DF-5BC5-318C-AF19-19D1D29ED692} - Microsoft_VC90_DebugCRT_x86.msm
Removed 4 components with GUIDs {58425F02-9D68-3D93-85D9-39B29E29BC7B}, {BAD864A4-C2C0-3C54-8964-B268B7016DEC}, {FC82857E-2B1F-3E92-A906-97FD9825D3C7}, and {0BDD8003-3267-389F-813F-AD12EC5DC534} - Microsoft_VC90_DebugMFC_x86.msm
Removed 4 components with GUIDs {F0A00871-E0E2-32B2-A659-FE4DA7002A2D}, {342BA686-A9E6-3FB4-AFC0-7034FF188D52}, {7E7F1AD6-F52E-3AE6-BAA5-32B96EE05F4E}, and {B833CE77-211C-355F-9DBB-294FD746EF17} - Microsoft_VC90_DebugOpenMP_x86.msm
Removed 4 components with GUIDs {5586775C-EA44-30E2-A3E2-5C50F4EA39A0}, {B0C784B6-DDCC-3D69-A33A-5DE42951883C}, {E59B8FDA-55AE-3049-96FC-606E8C5BF2BE}, and {8FD717AF-E0E2-365E-8445-AECD9A21E5A0} - Microsoft_VC90_MFC_x86.msm
Removed 4 components with GUIDs {D01CBF08-20B4-30C8-AF5A-96F9847E82A3}, {C6357C55-7461-3D51-9AE5-FD71CA24027A}, {611881C8-BE2F-393E-A04F-81C63DF00851}, and {15F67BFD-D6AA-3C8B-A1BB-C33E17E925C6} - Microsoft_VC90_MFCLOC_x86.msm
Removed 4 components with GUIDs {5A06E1CC-89C9-3DB9-9BC8-5BFA56B58BFB}, {FF2F571A-6C54-31E3-B23E-2A60283B08A8}, {C9F2C40F-28CD-392C-A0C3-3AADEC130C0A}, and {4D8012CE-B2CE-3493-91B8-B8A9B982F6B8} - Microsoft_VC90_OpenMP_x86.msm
Removed 4 components with GUIDs {A85D53AA-906D-31C5-96E3-E21BB9154E2C}, {D511F4F3-A911-32CF-AC11-9C97EF948BFC}, {B16F86FC-BD94-30FA-98AA-17ABE54F0478}, and {28B6B10C-E41F-302B-A673-01F436427522} - policy_9_0_Microsoft_VC90_ATL_x86.msm
Removed 2 components with GUIDs {A62CCE52-C380-3111-BA7D-3D0EDFA31213} and {C2FCD113-35CA-3027-92CD-F2D646277CA1} - policy_9_0_Microsoft_VC90_CRT_x86.msm
Removed 2 components with GUIDs {14F2B62D-DF5F-335F-A517-0991F44CB087} and {0355F5D0-467C-30E9-894C-C2FAEF522A11} - policy_9_0_Microsoft_VC90_DebugCRT_x86.msm
Removed 2 components with GUIDs {C990308F-4696-3069-B753-AB178CE2007B} and {FBB763D7-1B85-36C2-B127-4577B3FC45A1} - policy_9_0_Microsoft_VC90_DebugMFC_x86.msm
Removed 2 components with GUIDs {9B8A0715-C004-3493-8350-A387E1163D46} and {9EC89F44-FA15-308D-8582-22744424F0CF} - policy_9_0_Microsoft_VC90_DebugOpenMP_x86.msm
Removed 2 components with GUIDs {A134D5FD-99B1-3230-89AC-C4F81B697BFC} and {19185A82-2047-34BF-BBE1-5E64579BE356} - policy_9_0_Microsoft_VC90_MFC_x86.msm
Removed 2 components with GUIDs {6BFBB2DC-4F78-3217-ACCF-CD2838A84621} and {12EA53B4-340A-3F5D-B1BC-4A3BEC4A89A7} - policy_9_0_Microsoft_VC90_MFCLOC_x86.msm
Removed 2 components with GUIDs {0FEBA8D0-5D22-3D3A-947D-559E29BF07DF} and {6F026C46-D6BC-3805-A3B0-117AF8473928} - policy_9_0_Microsoft_VC90_OpenMP_x86.msm
Removed 2 components with GUIDs {8D71CE57-BDC3-34B0-ADAD-EA4C5AFC9664} and {649A198A-C19D-325F-BF3A-C7EAE62F5EF6}
Workarounds
This means that if your setup includes any of these merge modules, the security update prevents you from shipping Small or Minor Updates.The workaround I'd recommend is using a Major Upgrade (i.e. change the ProductCode and add an entry in the Upgrade table) to update your application.
Gauravb's blog lists some other workarounds which I don't think are feasible:
- Use the VC Redistributable Installer EXE package to install the runtime instead of the merge modules. - Good advice for new packages or Major Upgrades, but you can't remove the merge modules from your package in a Small or Minor Update.
- Use the old verion of the merge modules, - This means you would knowingly be installing a vulnerable file on your customer's computer.
Another potential workaround would be to add dummy components to your msi setup with the same GUIDs as the components that were removed from the merge modules. But that could cause conflicts with other msi files that include the original version of the module.