0

March 2018 Exchange Security Updates–Have You Updated?

Patch Tuesday this month featured updates to address security issues in Exchange 2010, 2013 and 2016.   Tuesday the 13th heralded the arrival of Rollup Update Rollup 20 (RU20) for Exchange Server 2010 Service Pack 3 along with updates for Exchange 2013 and 2016.

Exchange 2010 SP3 RU20 is the latest rollup of customer fixes currently available for Exchange Server 2010.  All updates, both security and product fixes, are delivered via a RU for Exchange 2010.  This means that if you want to install a security fix for Exchange 2010 you must install it via a RU.

Exchange 2013 and 2016 have a different servicing strategy, where security updates can be decoupled from the regular product updates.  Exchange 2013 and 2016 utilise Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.

For a reference point Exchange 2013 CU18 and Exchange 2013 CU19 were released in September 2017 and December 2017.  Exchange 2016 CU7 and Exchange 2016 CU8 were released on the same timeline.

Security updates were released for Exchange 2010, 2013 and Exchange 2016.  The released updates are covered in KB 4073392.  In addition the Microsoft Security Update Guide also provides a mechanism to search and filter on security updates.  Filtering the March 2018 Exchange updates in the Microsoft Security Update Guide shows the below:

Security Update Guide - March 2018 Exchange Updates

Drilling into the table shows that updates are available for all supported versions of Exchange.  Exchange 2007 exited out of extended support in April 2017, thus is not listed in the table.

It is worth reviewing the different versions of Exchange to note how the security fixes are delivered and thus how they are to be applied.

Exchange 2010

Exchange 2010 is serviced by releasing a new Rollup Update (RU).   These security fixes are delivered in Exchange 2010 SP3 RU20.

Download Exchange 2010 SP3 RU20

Please see the installation notes at the bottom of this post.  There are also known issues listed in KB 4073537.

Exchange 2013

Separate security updates are available for Exchange 2013 SP1 (CU4), CU18 and CU19.  If you are running one of these CUs, then you can download and install the security update from KB 4073392.  In reality though CU4 is a very dated release and you really should be on a current build of Exchange.

Exchange 2013 CU19 Security Update

Exchange 2013 CU20 already includes these security fixes.

For all other Exchange 2013 CUs the security update is not available.  In order to apply the security update then you must update to a current CU.

Exchange 2016

A separate security update is available for Exchange 2016 CU7 and CU8.  If you are running one of these CUs, then you can download and install the security update from KB 4073392.

Exchange 2016 CU9 Security Update

Exchange 2016 CU9 already includes these security fixes.

For all other Exchange 2016 CUs the security update is not available.  In order to apply the update then you must update to a current CU.

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *