In an enterprise environment, you rely on a service that tracks CVEs, analyzes which ones apply to your environment, and prioritizes security critical updates.
The issue here is that one of these services installed a release upgrade because Microsoft mislabelled it as security update.
They labelled an OS version upgrade as a security update.
Yet another reason to not do auto-updates in an enterprise environment for mission-critical services.
In an enterprise environment, you rely on a service that tracks CVEs, analyzes which ones apply to your environment, and prioritizes security critical updates.
The issue here is that one of these services installed a release upgrade because Microsoft mislabelled it as security update.
Should still be doing phased rollouts of any patches, and where possible, implementing them on pre-prod first.