Exchange 2013 patches and affected software table


  • Hi.
    Can anyone explain/confirm how is it with patches for Exchange? There has been published new security bulletin MS17-015 with Security Update for Exchange server 4013242.

    In Affected SW table are listed only Ex2013 SP1 + Ex2013 CU14 (latest)  + Ex2016.

    We are using Ex2013 CU12 for now, because we decided to skip CU13 (with its issues) and CU14 didn't deploy yet.
    I have read the supported SW paragraph and I know that MS supports two product version into past, so that Ex2016 + Ex2013 and Ex2010 (Ex2007 which support ends in days).

    But how is it with those interim updates/fixes? Does the 2 versions rule applies also for internal CU versioning or not?
    1. we need to update our servers to CU and install newest patch because it can be installed only to SP1 or CU14
    2. or our Ex2013 CU12 is not affected by this vulnerability?

    Is anyone here, who know this answer?


    Monday, March 20, 2017 12:53 PM

All replies

  • My understanding is that CU14 and all lower CUs would be affected and installing CU15 would also apply the patch in question, so why not just do that?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, March 20, 2017 10:50 PM
  • Hello Dan,

    This security update is suitable for Exchange server 2013 SP1, Exchange server 2013 CU14, or Exchange 2016 CU3. It's fine for Exchange 2013 CU15, and you don't need install this update.

    Best Regards,

    Allen Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, March 21, 2017 7:12 AM