Three months after Exchange 2013 CU8 appeared, Microsoft provides us with cumulative update 9 (CU9). New roll-up updates are also available for Exchange 2010 SP3 and Exchange 2007 SP3. I guess we have become accustomed to the pace and cadence of Microsoft's update schedule as everyone seems pretty calm and collected about these releases. Which is how it should be, considering we are almost three years into the Exchange 2013 lifecycle.
It’s a sad but true fact that all computer software loses some of its “edginess” as its lifecycle progresses. When a “boring” update because it included no major new functionality. On the other hand, CU8 exhibited none of the obvious problems in areas like coexistence and hybrid connectivity that had afflicted previous updates.CU8 appeared on March 17, I called it
Now we have Exchange 2013 CU9 (download here) and it’s much of the same, perhaps because the attention of the developers is now firmly fixed on Exchange 2016, or possibly to boost the relative weak line-up of new features scheduled to appear when the new version is available (probably in October 2015). For the remainder of its lifecycle, the horizon for Exchange 2013 seems to be limited to a series of perfectly acceptable and useful bug fixes with little coming in terms of new features. That’s what you’d expect for software which is nearly 3 years old, especially so when Exchange traces its ancestry back almost 20 years at this point. That being said, the return of Kerberos authentication for IMAP4 will please those who use IMAP4 clients.
As I’ve noted before, the information Microsoft released at Ignite created a firm impression that Exchange 2016 is just the next service pack for Exchange 2013. Sure, some nice technology is transferring into Exchange 2016 from Microsoft’s experience of running Exchange Online at massive scale, but Exchange 2016 exhibits none of the dramatic change that we experienced in Exchange 2010 or Exchange 2013. I guess we shall see in October.
Coming back to Exchange 2013 CU9, this release addresses the problem described in security bulletin MS15-064, so a more pressing requirement exists to push CU9 along into production. In saying this, I note that some people have experienced problems when applying the patches for MS15-064 on their Exchange 2013 servers (as evident in this forum post).
Installing CU9 is a quick and easy process and hasn’t caused me any problems on any servers that I have upgraded. But please don’t push too fast as experience teaches us what happens when software is deployed with insufficient testing. Pain, torment, worry, and so on.
In line with its support policy, following the publication of MS15-064 on June 9, Microsoft also released security updates for Exchange 2013 SP1 and Exchange 2013 CU8. Following the release of CU9, these are the versions that Microsoft supports, which is why the security patches are available for them and not for Exchange 2013 CU5, CU6, or CU7. Both fixes are covered by Knowledge Base article KB3062157, which explains that the issues are:
- An information disclosure vulnerability exists in Exchange web applications when Exchange does not correctly manage same-origin policy. This security update addresses the vulnerability by changing how Exchange web applications manage same-origin policy.
- An elevation of privilege vulnerability exists in Exchange web applications when Exchange does not correctly manage user sessions. This security update addresses the vulnerability by changing how Exchange web applications manage user session authentication.
- An information-disclosure vulnerability exists in Exchange web applications when Exchange does not correctly sanitize HTML strings. This security update addresses the vulnerability by correcting how Exchange web applications sanitize HTML strings (CU8 only)
A selection of bugs fixed in Exchange 2013 CU9 is shown below. Not many of these will cause the pulse to quicken. Note that there might be a short delay before the actual KB articles appear online.
- KB2023946 Web beacons can still be downloaded
- KB2988660 RBAC role assignment with custom write scope can fail
- KB3003978 Outlook messages can be displayed in an incorrect format
- KB3006849 Kerberos authentication not supported for IMAP4 clients
- KB3009631 Advanced find doesn’t work against the Sent Items folder
- KB3032153 Recurring events not adjusted for ActiveSync devices
- KB3049771 OWA login page takes longer than expected to time out
- KB3050825 Edge Transport crashes when PrioryQueueEnabled is set
- KB3050877 Sent As mail not saved in delegate mailbox
- KB3056045 Get-Contact doesn’t work for contacts from consumer domains
- KB3056817 Adding the “Let me select the message” feature for OWA
- KB3060825 Delivery service crashes when delivering message to a specific user
- KB3064393 Exchange doesn’t support IMAP4 ID and MOVE
- KB3068681 Upgrading server causes RPCClientAccess to set EncryptionRequired to True even if set to false.
Microsoft has also released updates for Exchange 2010 SP3 (RU10 – KB 3049853) and Exchange 2007 SP3 (RU17 – KB3056710). Of course, unlike Exchange 2013 cumulative updates which are essentially new versions of the product that can be installed onto a server to bring it totally up to spec, you have to remove any interim updates that might have been installed and then patch Exchange 2010 servers.
A selection of the bugs fixed in Exchange 2010 SP3 RU10 is shown below. Two of these are serious enough as moving mailboxes is pretty important and you don't want users losing access to archive mailboxes.
- KB3057422 Exchange 2010 SP3 RU8v2 is unable to move mailboxes
- KB3055764 Address book service crashes
- KB3054644 Can’t access an archive mailbox with OWA
- KB2964344 RPC service stops working intermittently
While Exchange 2007 RU17 boasts just one fix:
- KB3057222 Unable to open digitally signed NDR messages after applying RU15
Three months from now we’ll be in September and be expecting Exchange 2013 CU10. I wonder whether it will be as exciting as CU9?
Follow Tony @12Knocksinna