Last week's debacle with MacOS Mojave, High Sierra and Sierra updates seems to have resulted in a problem with the T2 chip firmware update. So how did Apple get both security updates, even for Macs that do not have a T2 (or T1) chip?
Before Apple sent Macs with T1 / T2 chips, all EFI and other firmware updates were built into the update installer. When you installed an update using
softwareupdate or the App Store, what came on the Mac was all that was needed. This made it possible for Apple to release stand-alone installation packages that did exactly the same. If your Mac was not connected to the Internet, it was easy to copy over a standalone installer, run it, and any firmware updates were used automatically without the need for additional downloads.
This was changed with T1
In theory, at least, if the issues in Security Update 2019-004 were limited to the T1 / T2 firmware update, Apple might have allowed the two updates to be available for models that did not have T1 / T2 tags. However, with a stand-alone general-purpose installer, this will require changing the scripts to prevent it from being installed on models with T1 / T2 chips. There may also have been a need for changes to the update itself, so Apple's best option was to pull the entire installer until these issues were addressed.
This becomes more complicated because you can also run a Software Update Server locally, as most system administrators do. That server has a copy of the updates that will normally be delivered directly from Apple's servers, including T1 and T2 firmware updates. When updating a Mac in that network, instead of retrieving the T1 / T2 firmware update from Apple's servers, it is retrieved from the local server.
To prevent the corrupted T1 / T2 firmware updates still being served to local Macs, Apple pulled the affected firmware update from their servers, and that change is reflected in the thousands of local mirrors. This was what we – and I recognize here the information from Al Varnell and Macintosh – so earlier this week. Apple had pulled both the standalone security update installers and one of the T2 firmware updates.
Penalties for failed firmware updates for T2 chips are also quite serious. At best, you need a new Mac for recovery, and in the worst case you have to take or send your Mac to a service provider for some hairy software surgery. Updating a T2 is not a trivial process.
In such situations, someone from Apple usually speaks to one of the commercial publications, and "leaks" what Apple wants users to know. In this case, there was only silence, and normally, informative websites did not even notice what was going on. However, there has been good coverage on the independent Macintouch site, and of course by Mr. Macintosh. But all we can do is study what users are reporting and see what Apple pulls and pushes.
Some users point out that all this is made more complicated by the use of T2 tags, which of course is true. But the user is on Apple to ensure that when they release firmware updates, they will not cause this type of problem. Apple has done quite well lately, but this time has compensated for our problems by remaining completely uncommunicative. The result will surely be that future updates will not be adopted as quickly or enthusiastically, harming both Apple and its customers.
When all your hardware runs Apple firmware and software, losing confidence in their updates is a serious blow. When Catalina arrived in just a few months, it could not have happened at a worse time.