The process of managing updates to the application stack for your Docker image applies to Windows updates too. You wouldn't connect to a running container to update the version of Node.js it uses, and you wouldn't run Windows Update either.
Microsoft release a combined set of security patches and other hotfixes for Windows, typically on a monthly basis as a Windows update. At the same time, they publish new versions of the Windows Server Core and Nano Server base images and any dependent images on Docker Hub and Microsoft Container Registry. The version number in the image tag matches the hotfix number of the Windows release.
It's a good practice to explicitly state the Windows version to use in the FROM instruction in your Dockerfile and use specific versions of any dependencies you install. This makes your Dockerfile deterministic—any time you build it in the future, you will get the same image with all the same binaries as a result.
Specifying the Windows version also makes it clear how you manage Windows updates for your Dockerized applications. The Dockerfile for a .NET Framework application may start like this:
FROM mcr.microsoft.com/windows/servercore:1809_KB4471332
This pins the image to Windows Server 2019 with update KB4471332. That's a searchable Knowledge Base ID that tells you it's the December 2018 update of Windows. With the release of the new Windows base image, you update your application by changing the tag in the FROM instruction and rebuilding your image, in this case by using release KB4480116, which is the January 2019 update:
FROM mcr.microsoft.com/windows/servercore:1809_KB4480116
I'll cover automated build and deployment in Chapter 10, Powering a Continuous Deployment Pipeline with Docker. With a good CI/CD pipeline, you can rebuild your images with a new Windows version and run all your tests to confirm that the update doesn't impact any features. Then, you can roll out the update to all your running applications with no downtime by using docker stack deploy or docker service update, specifying the new versions of your application images. The whole process can be automated, so the IT Admin's pain on Patch Tuesday disappears with Docker.