Install Servicing Stack Updates Before Other Updates
Currently, when servicing stack updates and regular updates are deployed in the same software update group, the patches do not apply in a determinant order. This leads to cases where a cumulative update that requires a new servicing stack is installed before the servicing stack itself.
While this can be worked around by separately deploying the servicing stack update before updates that require said servicing stack, it would be much more convenient if the update installation process checked if there are any servicing stack updates to be deployed and automatically installed them first
This more or less a dupe of this: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/34608748-run-software-update-evaluation-after-updates-have
The patches _do_ apply in a determinate order. If the metadata for a CU requires a SSU then the CU will not be applicable and therefore not be offered for install in the first place.
As much as I would love this, it is a far wider problem with the Servicing Stack. This should be resolved at the OS level, not the Config Mgmt level.
They need to address the entire issue of SSU updates in general, why do we need them, why are they different from other updates, why aren't they identified as SSU in some way etc.
Fix the updates themselves and we wont need to modify SCCM
Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes. For more information, see Servicing stack updates.
If SSU's aren't installed first, they cause the:
1. BSOD we had back in January 2018
2. Loss of USB we had in February 2018
"You have to get them installed first. To have them install second/or not at all can crater a machine." (credit: Patch Lady Susan)
In my experience, the installation order in ConfigMgr is random and given the importance of having the SSU installed first, we can't just install the SSU first and then LCU after, because once the deployment deadline is passed (for example a newly built machine), we can't guarantee the order.