Patch Tuesday this month featured updates to address security issues in Exchange 2010, 2013 and 2016. Two weeks ago today, July 11th heralded the arrival of Rollup Update Rollup 18 (RU18) for Exchange Server 2010 Service Pack 3 along with updates for Exchange 2013 and 2016.
Exchange 2010 SP3 RU18 is the latest rollup of customer fixes currently available for Exchange Server 2010. All updates, both security and product fixes, are delivered via a RU for Exchange 2010. This means that if you want to install a security fix for Exchange 2010 you must install it via a RU.
Exchange 2013 and 2016 have a different servicing strategy, where security updates can be decoupled from the regular product updates. Exchange 2013 and 2016 utilise Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.
For a reference point Exchange 2013 CU17 and Exchange 2016 CU6 were previously released in June 2017.
Security updates were released for Exchange 2010, 2013 and Exchange 2016. The released updates are covered in KB 4018588. In addition the Microsoft Security Update Guide also provides a mechanism to search and filter on security updates. Filtering the July 2017 Exchange updates in the Microsoft Security Update Guide shows the below:
Drilling into the table shows that updates are available for all supported versions of Exchange. Exchange 2007 exited out of extended support in April 2017, thus is not listed in the table.
It is worth drilling into the different versions of Exchange to review how the security fixes are delivered and thus how they are to be applied.
Exchange 2010
Exchange 2010 is serviced by releasing a new Rollup Update (RU). These security fixes are delivered in Exchange 2010 SP3 RU18.
Please see the installation notes at the bottom of this post.
Exchange 2013
Separate security updates are available for Exchange 2013 SP1 (CU4) and Exchange 2013 CU16. If you are running one of these CUs then you can download and install the security update from KB 4018588. In reality though CU4 is a very dated release and you really should be on a current build of Exchange.
Exchange 2013 CU17 already includes these security fixes.
For all other Exchange 2013 CUs the security update is not available. In order to apply the security update then you must update to a current CU.
Exchange 2016
A separate security update is available for Exchange 2016 CU5. If you are running CU5 then you can download and install the security update from KB 4018588.
Exchange 2016 CU6 already includes these security fixes.
For all other Exchange 2016 CUs the security update is not available. In order to apply the update then you must update to a current CU.
Cheers,
Rhoderick