Deploying Exchange Server 2013 : Understanding cumulative updates and service packs

With Exchange Server 2013, Microsoft decided to deliver routine product updates and security updates separately. Under this servicing model, routine product updates are delivered periodically as a single, cumulative update, and security updates are delivered separately. While this allows you to install security updates as they are released without having to install a cumulative update, cumulative updates themselves will contain security updates. As with earlier releases of service packs in Exchange Server, cumulative updates are delivered as full product updates and installed as upgrades.

To better align on-premises Exchange and Exchange Online, Microsoft tries to release cumulative updates on a fixed schedule and applies cumulative updates to their hosted Exchange servers prior to official release. Thus, when an update is released you know it has been applied to all Exchange Online servers and all of the mailboxes stored in the cloud.

Cumulative updates more closely resemble service packs than rollup updates. Not only may cumulative updates contain hotfixes and security updates, they may also contain new features, product enhancements, and other changes that affect the way the product works. While language modifications were previously limited to Service Pack releases, cumulative updates may contain updates to language resources. A cumulative update also may contain Active Directory schema updates. If so, the schema changes will be additive and backward compatible with previous release and product versions.

Every cumulative update and service pack is a full release of the product. This means, you install cumulative updates and service packs as product upgrades and that each update package will be larger than the previous product or update package. Because you install cumulative updates and service packs as upgrades, any customizations you’ve made to Exchange Server (using web.config files on Client Access servers, EdgeTransport.exe.config files on Mailbox servers, registry changes, or other custom configuration options on servers) are not preserved. This means you will lose any customizations. To prevent this, you must save your customizations and then re-apply them after applying a cumulative update or service pack.

In the unlikely event that the upgrade fails and is unrecoverable, you will need to re-install Exchange Server. This re-installation process will create a new server object and should not result in the loss of mailbox or queue data. However, you will need to re-seed or re-attach existing databases after the re-installation process.

You apply cumulative updates and service packs using Exchange Server Setup. Because each cumulative update and service pack is a new build of Exchange Server 2013, you don’t need to apply cumulative updates or service packs in sequence. You can apply the latest cumulative update or service pack at any time. For example, if you deployed Exchange Server 2013 RTM but didn’t upgrade to Exchange Server Cumulative Update 1, you could upgrade the original installation directly to Exchange Server Cumulative Update 2.

In a Database Availability Group configuration, all servers should be running the same cumulative update or service pack of Exchange Server 2013—except during an upgrade. During an upgrade, individual servers within a Database Availability Group can have different cumulative update or service pack versions. This mixed state is expected to be only temporary. Database Availability Group should not operate in a mixed state for long periods of time.

Similarly, all servers in a Client Access array should be running the same cumulative update or service pack of Exchange Server 2013—except during an upgrade. During an upgrade, individual servers within a Client Access array can have different cumulative update or service pack versions. Again, this mixed state is expected to be temporary.

Cumulative updates and service packs are published at the Microsoft Download Center. Because staying current with cumulative updates and service packs may present a special challenge for some Exchange installations, it is important to note that cumulative updates are supported only for three months after the release of the subsequent cumulative update. With Microsoft’s goal of delivering cumulative updates quarterly, this typically means that a prior cumulative update is supported for about six months.

Versioning with Exchange Server 2013 gets a little tricky. This is because Exchange Server can have both service packs and cumulative updates for those service packs. To differentiate between versions, Microsoft references both the Exchange Server version and the cumulative update.

The official release of Exchange Server 2013 is referred to as Exchange Server 2013 RTM. Cumulative updates for this release are referred to using the full release name plus the cumulative update number. Thus, Exchange Server 2013 RTM with Cumulative Update 1 is referred to as Exchange Server 2013 RTM CU1.

As Microsoft releases service packs for Exchange Server 2013, those service packs will be full product rollups that include prior cumulative updates of the product. Cumulative updates for Exchange Server 2013 with specific service packs will be released as well. In this instance, cumulative updates are referred to using the full release name, the service pack name, and the cumulative update number. Thus, Exchange Server 2013 SP1 with Cumulative Update 1 is referred to as Exchange Server 2013 SP1 CU1.

Keep in mind the version of Exchange Server is updated when you install a cumulative update, a service pack, or both. This means that one way to determine what cumulative update, service pack, or both is applied is to check the version number of an Exchange server. The build number for Exchange 2013 RTM is 516.32; the build number for Exchange 2013 RTM Cumulative Update 1 is 620.29; the build number for Exchange 2013 RTM Cumulative Update 2 is 712.22, and so on.

Get-ExchangeServer | select name, serverrole, admin*

The servicing model changes the way security updates are released as well. For Exchange Server 2013, security updates are designated for a specific cumulative update and contain all of the fixes available at the time of release in a single update package. Thus, to ensure a server has the most recent security fixes, you need to apply only the most recently released security update for a specific cumulative update. For example, if you are using Exchange Server 2013 with CU2, you ensure a server has the most recent security fixes by applying the most recent security update for CU2.

As cumulative updates themselves contain security updates, you need to apply only security updates that have been released after a specified cumulative update. Thus, if for some reason you didn’t apply security updates for Exchange Server 2013 CU1 and have now upgraded to Exchange Server 2013 CU2, you don’t need to apply any of the security updates that are specific to Exchange Server 2013 CU1 (or Exchange Server 2013 RTM).

Security updates for Exchange Server 2013 are available via Microsoft Update and are published at the Microsoft Download Center. Finally, it is important to point out that security updates released for a particular cumulative update will not need to be uninstalled before moving to the next cumulative update.

New service packs for Exchange 2013 will include all the prior cumulative updates and security updates. Thus, when you install Exchange 2013 Service Pack 1, you don’t also need to install any prior cumulative updates and security updates.