The Microsoft Exchange Team has announced new update releases for all current versions of Exchange Server. The updates include:
- Exchange Server 2013 Cumulative Update 7
- Exchange Server 2010 SP3 Update Rollup 8 (re-released with a fix for the bug that occurred)
- Exchange Server 2007 SP3 Update Rollup 15
Also included are UM Language Packs for Exchange 2013 CU7.
Important Security Update MS14-075
Included in these update releases is the fix for MS14-075 which resolves four vulnerabilities relating to Outlook Web App, the worst of which could allow elevation of privilege.
The fix is included with Exchange 2010 SP3 UR8 and Exchange 2007 SP3 UR15, and is available as a standalone security update for Exchange 2013 SP1 and Exchange 2013 CU6.
The fix is not provided for any other versions of Exchange Server which may be vulnerable, as they are unsupported.
Improvements in Exchange Server 2013 Cumulative Update 7
Microsoft calls out the following improvements in CU7 for Exchange 2013:
Exchange Server 2013 Cumulative Update 7 includes updates which make migrating to Exchange Server 2013 easier. These include:
- Support for Public Folder Hierarchies in Exchange Server 2013 which contain 250,000 public folders
- Improved support for OAB distribution in large Exchange Server 2013 environments
Customers with Public Folders deployed in an environment where multiple Exchange versions co-exist will want to read Brian Day’s post for additional information.
Improvements in Backup for Exchange Server 2013
CU7 also included a minor improvement (what we might also consider a bug fix) in the area of backup. In Microsoft’s words:
We encourage all customers who backup their Exchange databases to upgrade to Cumulative Update 7 as soon as possible and complete a full backup once the upgrade has been completed. These improvements remove potential challenges restoring a previously backed up database.
This sounds a bit scary (nobody wants to hear that their backups may be unusable for restores) but Microsoft assures us that the condition they are referring to is an edge case only, identified in internal testing, and has not been known to impact production customers.
Obviously you should still follow their advice and take a full backup after your CU7 deployment.
Deploying the Latest Exchange Server Updates
For Exchange Server 2013:
For Exchange Server 2010:
- How to Install Updates on Exchange Server 2010 Database Availability Groups
- How to Install Updates on Exchange Server 2010 CAS Arrays
Recommendations and Known Issues
I frequently receive questions about whether to wait or deploy when new updates are released. My general rule is to wait two weeks to allow time for testing and reviewing any other real world feedback from others, unless circumstances require an urgent deployment (eg for critical security or bug fixes).
- Exchange Server 2013 environments – Important security update should be reviewed. Backup issue should be taken seriously if no restore tests have been performed in your environment previously.
- Exchange Server 2013/Office 365 Hybrid – Refer to notes above for Exchange 2013 concerns. Office 365 Hybrid customers are required to deploy the most current CU release on-premises.
- Exchange Server 2010 environments – Important security update should be reviewed. Ensure you have the correct version, as this update was withdrawn then re-released. The updated RU8 package is version number 14.03.0224.002.
- Exchange Server 2007 environments – too early to tell. Important security update should be reviewed. Recent update quality has been good. Test and deploy.
I appreciate the help. That bug is the type of thing I was talking about. It looks like mine are all FrontendT’s except for the built in Client Proxy and Default.
I am going to go to 8 and skip the snapshots. Hopefully all goes well.
I have 2013 CU3 installed at my site. I went through a bunch of fun when I went from CU2 to CU3 because of the security patch that hoses everything. Since then I have been hesitant to update. Should I go from CU3 to CU8 or bridge the gap and go to CU6 first? I am going to take snapshots of the AD and Exchange Server, Screenshots of all custom settings in ECP, and make sure I have a good backup. My schema changes are already in place since I setup CU2 to start with and I plan to use just the Setup.exe to do all the work for me.
Thanks for your help in advance.
Daniel
There’s no advantage to only going to CU6.
Snapshots are useless since you can’t use snapshots to recover these servers anyway.
Any server customizations are wiped by any CU, so you should always have those documented and if possible script them to re-apply them easily.
VMware snapshots that revert both the AD and Exchange back to an earlier date would not get me back to the state before upgrade?
I am going to have a good backup in place. If it were to fail my option would be to blow away exchange and set it all back up using my copied ECP settings + mounting my copy of the database?
Could I just go to CU7 in that case and mount my CU3 database or would I have to go to CU3 and then upgrade again?
Any known gotchas that will fail the update like the CU2 security update bug?
Snapshots are not supported.
CU8 is the latest. There is no advantage to only going to CU7 at this time.
You should always review the release notes and the Exchange team blog posts for releases, and also the Technet forums, to look for any common issues being reported.
There is also this issue that has impacted some customers of mine:
https://www.practical365.com/exchange-server-2013-upgrade-fails-due-to-receive-connector-conflicts/
Can I update Cumulative Update 7 directly to Exchange server 2013 RTM? Schema Version 15137?
from our environment we are still on freeze period will give feedback after the 12th of January immediately after installing the update
Yes I’m also wondering if this update will break anything. My boss wants me to install it, but I don’t want to lose my job 😉
It works OK on my exchange servers.
Bill
Then you should test it.
Is the Cumulative Update 7 considered as “Stable”?
Thanks Paulk for your recent update.i hope the update won’t be recalled
Hi,
Microsoft has releaseled the updated version 2 from Exchange 2010 SP3 UR8.
http://www.microsoft.com/en-us/download/details.aspx?id=45225
Do you think it’s safe to start intall that now?
Regards,
Romany
Should I un-install Rollup 8 for exchange 2010? I have not seen any problems yet.
Bill
Yes. A new version will be re-released.