none
Exchange 2013 patches and affected software table

    Question

  • Hi.
    Can anyone explain/confirm how is it with patches for Exchange? There has been published new security bulletin MS17-015 with Security Update for Exchange server 4013242.

    In Affected SW table are listed only Ex2013 SP1 + Ex2013 CU14 (latest)  + Ex2016.

    We are using Ex2013 CU12 for now, because we decided to skip CU13 (with its issues) and CU14 didn't deploy yet.
    I have read the supported SW paragraph and I know that MS supports two product version into past, so that Ex2016 + Ex2013 and Ex2010 (Ex2007 which support ends in days).

    But how is it with those interim updates/fixes? Does the 2 versions rule applies also for internal CU versioning or not?
    Meaning
    1. we need to update our servers to CU and install newest patch because it can be installed only to SP1 or CU14
    2. or our Ex2013 CU12 is not affected by this vulnerability?

    Is anyone here, who know this answer?

    Thx
    Dan

    Monday, March 20, 2017 12:53 PM

Answers

  • Hi,

    As it mentions, this security update is rated Important for Microsoft Exchange Server 2013 Service Pack 1, Microsoft Exchange Server Cumulative Update 14, and Microsoft Exchange Server 2016 Cumulative Update 3.

    Thus, you can leave it with your CU12 Exchange server, and upgrade it to CU15.
    Anyway, it's fine to install this security update in CU12.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 29, 2017 7:35 AM
    Moderator

All replies

  • My understanding is that CU14 and all lower CUs would be affected and installing CU15 would also apply the patch in question, so why not just do that?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, March 20, 2017 10:50 PM
    Moderator
  • Hello Dan,

    This security update is suitable for Exchange server 2013 SP1, Exchange server 2013 CU14, or Exchange 2016 CU3. It's fine for Exchange 2013 CU15, and you don't need install this update.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 21, 2017 7:12 AM
    Moderator
  • @Dan,

    Do you need further assistance about this issue?
    If it fix, please help to mark the help reply as answer as appreciate.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 27, 2017 6:11 AM
    Moderator
  • First of all thanks everyone for answers and sorry for my late reply. I didn't receive any email notification that someone replied here, strange.

    Secondly, I also think that CU12 (we are on) is affected. But I would like to be sure, because the environment is not small and installing just the patch is easier and faster. And if we are affected, then I must meet security rules (implementation timeline). If we are not affected then I can just continue with planning CU15 implementation.

    Tuesday, March 28, 2017 8:24 AM
  • Hi,

    As it mentions, this security update is rated Important for Microsoft Exchange Server 2013 Service Pack 1, Microsoft Exchange Server Cumulative Update 14, and Microsoft Exchange Server 2016 Cumulative Update 3.

    Thus, you can leave it with your CU12 Exchange server, and upgrade it to CU15.
    Anyway, it's fine to install this security update in CU12.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 29, 2017 7:35 AM
    Moderator