LoginWhy was the 26.2 update much larger for some than others?
Several of those who have already updated to macOS Tahoe 26.2 have remarked how much larger their download was than the 3.78 GB expected for Apple silicon Macs, with some reporting over 10 GB. Here I ponder how that could happen.
How is macOS now updated?
My understanding of the broad processes involved in current macOS updates is that the total downloaded for Macs of the same architecture starting from the same version should be identical.
Major components required for each update include:
- contents of the System volume that have changed from the starting version for that update;
- standard cryptexes containing Safari and its supporting components, and dyld caches. The latter differ between Intel Macs, which only receive Intel versions, and Apple silicon Macs, which receive Intel versions to support Rosetta 2 as well as their own Arm versions. Those probably account for much of the difference in size between Intel and Apple silicon updates. Note that Apple silicon Macs may also require updates to cryptexes used in AI, but those are most likely obtained outside the macOS update;
- architecture-specific firmware;
- new Recovery system;
- the ‘update brain’ to run the update, including creation of the new SSV with its hash tree.
Those contrast with what’s required for a full installer upgrade (or reinstall), which consists of a single Universal app containing the whole contents of the SSV, cryptexes and firmware for both architectures, Recovery and the update brain.
Following decompression of the download, changed components are installed in the System volume, a snapshot made of that, and its hash tree is constructed. Updated cryptexes replace those from the previous version, the new Recovery system and firmware updates are installed.
For all Macs of both architectures being updated from the previous public release of macOS, creation of the new SSV should be identical, as their old SSVs are all signed with the same signature, as their contents are identical.
Combo updates
In any update, changed contents of the System volume depend greatly on the starting version of macOS installed. Updating from a previous beta can require different files to be replaced, compared with those from the last public release. In some cases, Apple may be able to provide a single updater that will convert both a Release Candidate and the last public release into the new version.
If that’s not feasible, Macs that are updating from a beta, or a public release before the last, will require what we used to call a Combo update, consisting of all changed contents since the last major version, in this case 26.0. Combo updates are inevitably significantly larger than single-step Delta updates from the last public release, but should remain smaller than a full installer.
Recent upgrades between major versions of macOS, such as 15.6 to 26.0, have tried to avoid full installers where possible, by adopting what’s effectively a Combo-style update, but slightly larger as a Combo+.
Thus, updates to 26.2 most probably consist of:
- a Delta update from the last public release, 26.1, which might also be suitable for some beta releases;
- a Combo update from 26.0, 26.0.1 or some beta releases.
- a Combo+ update or full installer from earlier major versions of macOS.
As later minor versions are released, the size of the Combo update rises, as it’s required to incorporate more changes than for previous updates.
What would be surprising would be for two Macs of the same architecture updating from the same starting version of macOS to be provided with updates of significantly different size. I look forward to hearing from you if you consider that happened with the 26.2 update.
No BSI/RSR
What is puzzling about the 26.2 update is that it wasn’t preceded by a Background Security Improvement (BSI) or Rapid Security Response (RSR). Two of the top security vulnerabilities fixed in 26.2 (and in the Safari updates for 15.7.3 and 14.8.3) are both in WebKit, which is supplied in the Safari cryptex. These are for CVEs 2025-43529 and 2025-14174. Both were documented as already being exploited in older versions of macOS, in sophisticated attacks on targeted individuals. Both would appear to have been suitable for distribution prior to 26.2 in updated cryptexes, either by the existing RSR system or its replacement in Tahoe 26.1 of the BSI.
This appears to have been another missed opportunity for an RSR/BSI to have proved its value.
