March 2018 Exchange Security Updates–Have You Updated?
Patch Tuesday this month featured updates to address security issues in Exchange 2010, 2013 and 2016. Tuesday the 13th heralded the arrival of Rollup Update Rollup 20 (RU20) for Exchange Server 2010 Service Pack 3 along with updates for Exchange 2013 and 2016.
Exchange 2010 SP3 RU20 is the latest rollup of customer fixes currently available for Exchange Server 2010. All updates, both security and product fixes, are delivered via a RU for Exchange 2010. This means that if you want to install a security fix for Exchange 2010 you must install it via a RU.
Exchange 2013 and 2016 have a different servicing strategy, where security updates can be decoupled from the regular product updates. Exchange 2013 and 2016 utilise Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.
Security updates were released for Exchange 2010, 2013 and Exchange 2016. The released updates are covered in KB 4073392. In addition the Microsoft Security Update Guide also provides a mechanism to search and filter on security updates. Filtering the March 2018 Exchange updates in the Microsoft Security Update Guide shows the below:
Drilling into the table shows that updates are available for all supported versions of Exchange. Exchange 2007 exited out of extended support in April 2017, thus is not listed in the table.
It is worth reviewing the different versions of Exchange to note how the security fixes are delivered and thus how they are to be applied.
Exchange 2010 is serviced by releasing a new Rollup Update (RU). These security fixes are delivered in Exchange 2010 SP3 RU20.
Separate security updates are available for Exchange 2013 SP1 (CU4), CU18 and CU19. If you are running one of these CUs, then you can download and install the security update from KB 4073392. In reality though CU4 is a very dated release and you really should be on a current build of Exchange.
Exchange 2013 CU20 already includes these security fixes.
For all other Exchange 2013 CUs the security update is not available. In order to apply the security update then you must update to a current CU.
A separate security update is available for Exchange 2016 CU7 and CU8. If you are running one of these CUs, then you can download and install the security update from KB 4073392.
Exchange 2016 CU9 already includes these security fixes.
For all other Exchange 2016 CUs the security update is not available. In order to apply the update then you must update to a current CU.