Do I run Windows Update on Host or Container?

I’ve read in several places that when using a Windows Server container (not a hyperV container) the version and build number of the host must be an exact match for the version and build number of the container. With that in mind, I’m a bit confused about where I should run my Windows Updates.

Right now, for example, I’m running Windows 2016 (version 10.0, build 14393) on both the host and container. Now let’s say Microsoft releases an update tomorrow via Windows Update which brings the build number of my host up to 15000. What then shall I do with container? Do I run Windows Update there as well? Do I download a new base OS container image? If so, what if I’ve already made alterations to my original image (e.g. installed SQL Server or IIS)? Would I then lose those changes and start over with a new base OS image?

@codefanatic I recommend rebuilding the container image on the updated base OS layer and re-deploying. I don’t think Windows Update runs a in a container just yet.

Got it. That makes sense.