Security Update 2015-002

@elliotjordan That seems like a lot of work which will require updating overtime with each new update, which Apple are already handling for you.

Apple has this logic built into the installer (and there were 3 different installers for 2015-002). The Software Update mechanism will choose the correct one for you. Using 2015-002 as an example:

$ cat 031-17121.English.dist | grep "system.compareVersions"
    if (system.compareVersions(system.version.ProductVersion, '10.9') < 0 || system.compareVersions(system.version.ProductVersion, '10.10') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9') < 0 || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9.5') < 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9.5') > 0) {
    if (system.compareVersions(plistKeyValue, '13F34') > 0) {
    if (system.compareVersions(plistKeyValue, '13F34') < 0) {

$ cat 031-18424.English.dist | grep "system.compareVersions"
    return system.compareVersions(lhsMatch.slice(1).join(","), rhsMatch.slice(1).join(","));
    if (system.compareVersions(system.version.ProductVersion, '10.10') < 0 || system.compareVersions(system.version.ProductVersion, '10.11') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10') < 0 || system.compareVersions(my.target.systemVersion.ProductVersion, '10.11') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10.2') < 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10.2') > 0) {
    if (system.compareVersions(plistKeyValue, '14C2000') >= 0) {
    if (system.compareVersions(plistKeyValue, '14C1000') >= 0) {

$ cat 031-17115.English.dist  | grep "system.compareVersions"
    if (system.compareVersions(system.version.ProductVersion, '10.8') < 0 || system.compareVersions(system.version.ProductVersion, '10.9') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.8') < 0 || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.8.5') < 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.8.5') > 0) {

If you want to know if there is an update available, run software update with the list option and then read the plist back.

$ softwareupdate -l
$ defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist RecommendedUpdates

There is some talk on this in post Jamfnation #19323

If you want to know if updates are installed

$ grep "Security Update 2016-002" /Library/Receipts/InstallHistory.plist
        <string>Security Update 2016-002</string>

The final logic would be that if softwareupdate didn't return anything and it isn't in the install history, either you've forgotten to enable the update on your internal update server (if you have one) or the current OS does not think it requires the update based on Apple's logic.

It does seem like a lot of work, doesn't it? Won't it be nice when we can do a simple "Operating System is less than 10.11.4"?