Q: I thought Server Core would give me a smaller amount of patches required than a Server with a GUI installation; however, I seem to have the same number of critical updates requiring reboots when I run Windows Update--why is that?

A: I looked into this, and it's actually quite tricky. There are several binaries present on Server Core that are used; however, vulnerabilities that might get patched in the binary don't always apply to Server Core.

The problem is Windows Update will see the binary present and patch it and therefore require a reboot, but if you read the security bulletin related to the patch, it will say whether this actually applies to Server Core or not.

For example in the past year there have been around 10 critical patches with bulletins; however, less than half of these were actually needed on Server Core. If you hadn't read the bulletin but if you just ran Windows Update, then they would have all been applied.

This means if you want the most optimal Server Core patching with least possible reboots, you can't just run Windows Update.  Instead you need to verify the security bulletins for critical updates to check if they actually apply to Server Core or not. On the plus side, this does show even without the patching that Server Core is inherently less susceptible to vulnerabilities.