diff --git a/server/datastore/mysql/operating_system_vulnerabilities.go b/server/datastore/mysql/operating_system_vulnerabilities.go
index 177a059fcc..c9846d8354 100644
--- a/server/datastore/mysql/operating_system_vulnerabilities.go
+++ b/server/datastore/mysql/operating_system_vulnerabilities.go
@@ -113,10 +113,16 @@ func (ds *Datastore) InsertOSVulnerability(ctx context.Context, v fleet.OSVulner
 			operating_system_id = VALUES(operating_system_id),
 			source = VALUES(source),
 			resolved_in_version = VALUES(resolved_in_version),
-			updated_at = ?
+			updated_at = IF(
+				  VALUES(operating_system_id) = operating_system_id AND
+				  VALUES(source) = source
+				  AND VALUES(resolved_in_version) = resolved_in_version,
+			  updated_at,
+			  NOW()
+		  )
 	`
 
-	args = append(args, v.OSID, v.CVE, s, v.ResolvedInVersion, time.Now().UTC())
+	args = append(args, v.OSID, v.CVE, s, v.ResolvedInVersion)
 
 	res, err := ds.writer(ctx).ExecContext(ctx, sqlStmt, args...)
 	if err != nil {
diff --git a/server/datastore/mysql/operating_system_vulnerabilities_test.go b/server/datastore/mysql/operating_system_vulnerabilities_test.go
index 0b477091cb..ee7a82624e 100644
--- a/server/datastore/mysql/operating_system_vulnerabilities_test.go
+++ b/server/datastore/mysql/operating_system_vulnerabilities_test.go
@@ -239,6 +239,9 @@ func testInsertOSVulnerability(t *testing.T, ds *Datastore) {
 	require.NoError(t, err)
 	assert.True(t, didInsertOrUpdate)
 
+	// make sure updated_at doesn't change on the next upsert call, as fields won't change
+	time.Sleep(1 * time.Second)
+
 	// Inserting the exact same vulnerability again should not insert and not update
 	didInsertOrUpdate, err = ds.InsertOSVulnerability(ctx, vulnsUpdate, fleet.MSRCSource)
 	require.NoError(t, err)