diff --git a/ci-tools/update-production b/ci-tools/update-production
old mode 100644
new mode 100755
index e7cd557fbc9235ae7e548331ed2f0dc3ca821673..695a7c08191ebd7ba9d2575eca7f7220a995efd6
--- a/ci-tools/update-production
+++ b/ci-tools/update-production
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p git curl
+#!nix-shell -i bash -p git curl python3
 
 set -eux -o pipefail
 
@@ -18,7 +18,7 @@ main() {
     # If there have been no changes we'll just abandon this update.
     ensure_changes "$SOURCE_BRANCH" "$TARGET_BRANCH"
 
-    local NOTES=$(compute_notes_diff "$SOURCE_BRANCH" "$TARGET_BRANCH")
+    local NOTES=$(describe_update "$SOURCE_BRANCH" "$TARGET_BRANCH")
 
     create_merge_request "$TOKEN" "$SERVER_URL" "$PROJECT_ID" "$SOURCE_BRANCH" "$TARGET_BRANCH" "$NOTES"
 }
@@ -35,13 +35,36 @@ ensure_changes() {
     fi
 }
 
-compute_notes_diff() {
+describe_update() {
     local SOURCE_BRANCH=$1
     shift
     local TARGET_BRANCH=$1
     shift
 
-    git diff origin/"$SOURCE_BRANCH"...origin/"$TARGET_BRANCH" -- DEPLOYMENT-NOTES.rst
+    local NOTES=$(git diff origin/"$TARGET_BRANCH"...origin/"$SOURCE_BRANCH" -- DEPLOYMENT-NOTES.rst)
+
+    # There often are no notes and that makes for boring reading so toss in a
+    # diffstat as well.
+    local DIFFSTAT=$(git diff --stat origin/"$TARGET_BRANCH"...origin/"$SOURCE_BRANCH")
+
+    local WHEN=$(git log --max-count=1 --format='%cI' origin/"$TARGET_BRANCH")
+
+    echo "\
+Changes from $SOURCE_BRANCH since $WHEN
+=======================================
+
+Deployment Notes
+----------------
+\`\`\`
+$NOTES
+\`\`\`
+
+Diff Stat
+---------
+\`\`\`
+$DIFFSTAT
+\`\`\`
+"
 }
 
 create_merge_request() {
@@ -68,7 +91,7 @@ print(json.dumps({
     "target_branch": sys.argv[3],
     "remove_source_branch": True,
     "title": f"update {sys.argv[3]}",
-    "description": f"```diff\n{sys.argv[4]}\n```",
+    "description": sys.argv[4],
 }))
 ' "$PROJECT_ID" "$SOURCE_BRANCH" "$TARGET_BRANCH" "$NOTES")
 
@@ -78,10 +101,12 @@ print(json.dumps({
 # Pull the GitLab token from the environment here so we can work with them as
 # arguments everywhere else.  They're passed to us in the environment because
 # *maybe* this is *slightly* safer than passing them in argv.
-TOKEN="$UPDATE_PRODUCTION_PRIVATE_TOKEN"
+#
+# The name is slightly weird because it is shared with the update-nixpkgs job.
+TOKEN="$UPDATE_NIXPKGS_PRIVATE_TOKEN"
 
 # Before proceeding, remove the secrets from our environment so we don't pass
 # them to child processes - none of which need them.
-unset UPDATE_PRODUCTION_PRIVATE_TOKEN
+unset UPDATE_NIXPKGS_PRIVATE_TOKEN
 
 main "$TOKEN" "$@"