In our environment, we use Kace to deliver Microsoft security patches to our Windows Servers. We also use the setting to inactivate superseded patches to reduce patch installation redundancy.

I found the July Windows Server 2016 cummulative update, KB4025339, was superseded a week later by KB4025334, which is a non-security update. This completely messes up my patching workflow.

My current options, as I see it, are to either included non-security updates in my patching catalog and figure out which ones I am going to allow, or to allow superseded patches to remain active.

Based on this, in my opinion, a security update should not be able to be superseded unless it is superseded by another security update.

I attempted working with support, but they said they are dependent on how Microsoft classifies updates. I think this will become more visible as Server 2016 gets more adoption.