Exchange Server update FAQ
Overview
It's very important to keep updating your on-premises Exchange Servers to a supported state. Your on-premises environments should always be ready to take an emergency security update (this applies to Exchange, Windows, and any other products you use on-premises). With the threat landscape rapidly evolving, the importance of keeping your environment current shouldn't be underestimated.
Keep your Exchange Servers up to date. We want to continue helping you keep your environment secure, and this means your Exchange servers need to be up to date. This is a continuous process.
Exchange Server update types and release schedule
There are three types of updates that Microsoft might release for Exchange Server:
| Update type | Frequency of release | Exchange requirement | Contains |
|---|---|---|---|
| Cumulative Update (CU) | Twice a year (no specific dates). | Exchange must be in Mainstream support. | Cumulative. Contains fixes from all previously released updates. |
| Security Update (SU) | When needed. Released typically on Microsoft 'Patch Tuesday' – second Tuesday of every month (unless emergency release). | Exchange must be in at least Extended support. Released for last CU only (if Exchange is in Extended support) or for last two CUs (if Exchange is in Mainstream support). | Cumulative. Contains all security updates since the CU it applies to was released. |
| Hotfix Update (HU) | Released only if feature updates are needed faster than CU releases. | Exchange must be in Mainstream support. | The feature update applies only to the CU it's released for. |
Update best practices
This process assumes that your Exchange Server is still supported:
- Install the latest CU. Use the Exchange Update Assistant to choose your current CU and your target CU to get specific directions. Additional information can be found in Upgrade Exchange to the latest Cumulative Update.
- Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
- Install the Security Update (SU) as they're released.
- Re-run the Health Checker after you install an SU to see if any further actions are needed. At times, extra actions are required.
- If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something doesn't work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.
Q&A
We have prepared a set of questions and answers that cover what we hear most often about Exchange updates.
We updated my Exchange Servers a few months ago! How come they're 'not supported' today?
For versions of Exchange that are within mainstream support (see product lifecycle), Microsoft supports (releases relevant security fixes for) the two latest CUs. Sometimes the latest two CUs are referred to as "N and N-1". As a current example, if the latest released CU is CU12 ('N'), and the server version is Exchange Server 2019, then Microsoft at this time supports two Exchange Server 2019 CUs, N and N-1 (CU12 and CU11). When CU13 is released, the "supported CU window" will slide toward the newly released CU13 (and what used to be the N-1 supported CU, CU11, will become unsupported).
Why does Microsoft release updates so often?
It's good that updates are released when issues are found. Microsoft (and other software publishers) release updates only when they're needed. CUs typically contain resolutions to feature problems that were reported to us by our customers (and can contain security updates from previous SUs) and are released twice a year (in H1 and H2). SUs are released only when actual security issues are found and fixed, and are typically released on a 'patch Tuesday'. Let's take an example of how a typical release flow for two CUs and two SUs we might release would look like:
- On a particular month (let's say March), we might release CU4; CU4 is cumulative and will include fixes and updates from before.
- A month later we release CU4 SU1, a security update for CU4.
- In July we then release CU4 SU2, an additional security update for CU4. CU4 SU2 includes updates released in CU4 SU1 also.
- In September we release CU5, which will contain all updates released up to that point.
Our Exchange Servers are working as expected, why update them?
Keeping Exchange Server current allows you to ensure that it keeps working without major interruptions to functionality and will help ensure your company data is safer. Investing time into Exchange Server maintenance (on your planned schedule) gives you a long-term benefit of well running system, with code as protected from vulnerabilities as possible.
How can we update Exchange Server when (insert 3rd party application name here) doesn't support the latest supported Exchange Server CUs?
Work with your 3rd party vendor to bring their software current in a timely manner. Consider that your Exchange environment contains many valuable company directory and messaging information. Your priority should be to keep your environment as secure as possible.
How can we stay current when we're a 24x7 business and have no time to take down our servers for maintenance?
Many customers require Exchange Server to work 24x7. In fact, our update process is designed for these high-demand businesses. You should use Database Availability Groups (DAGs) and put servers that you're updating in Maintenance mode to enable a graceful and non-disruptive update process for your users. See Performing maintenance on DAG members for more information.
If we're in Hybrid mode and don't actively use our on-premises Exchange Server, do we still need to stay current?
Even if you're only using Exchange Server on-premises to manage Exchange-related objects, you need to keep the server current. The Hybrid Configuration Wizard (HCW) doesn't need to be re-run after updates are installed.
We looked at recent security update releases and the Common Vulnerabilities and Exposures (CVE) severity wasn't high; why update?
Microsoft recommends that you apply all available security updates because it can be difficult to understand how even lower severity vulnerabilities disclosed in one month might interact with vulnerabilities disclosed and fixed a month later. An attack can trigger only specific low-impact functionality on a remote target machine and nothing else, causing the scoring for the CVE to be low one month. For example, in the following month an important issue with that functionality could be discovered, but it might be only triggered locally and require significant user interaction. That on its own might also not be scored highly. But if your software is behind in updates, these two issues could combine into an attack chain, thereby scoring at critical levels.
We applied mitigations for a recent security vulnerability. Why should we install (later released) updates for those same vulnerabilities?
Mitigations are a temporary form of protection that should be used until the actual code fix is released. Because mitigations don't address the actual vulnerability that is present in the code, they can (and sometimes do) get bypassed by threat actors attacking systems that are still vulnerable. Microsoft recommends installing the code fix for any vulnerability as soon as it's available. Mitigations shouldn't be considered a long-term solution to vulnerable code.
We find it difficult to update because Active Directory (AD) schema extensions and Exchange installations require different teams to take action.
In cases where different teams need to perform separate actions to prepare for installation of Exchange Cumulative Updates (as those might require AD schema extension) – we recommend you request schema changes when we release new CUs that require them. Even if you don't need to update to the latest CU (because last two CUs are supported for Exchange versions that are still within support lifetime) – the fact that Active Directory schema will be up to date means that if you do find that you need to install the latest CU, AD schema will already be updated. We release CUs twice a year and not all of them require AD schema updates. You can track this here for Exchange Server 2016 and here for Exchange Server 2019.
We installed a previous CU on our server and then applied available SUs. We updated our server to the latest CU available. Do we need to apply the already released SU for the latest CU too?
After a new CU is installed on the server, you always need to install the latest SUs available for that CU. Let us walk through a hypothetical Exchange Server 2019 scenario of this:
- In May, you installed CU9 (the latest available CU at the time) and all available SUs for CU9
- In June, we released CU10 for Exchange Server 2019
- In July, we released SUs that apply to both CU9 and CU10
- In July, you installed July SU to your Exchange 2019 CU9 server
- In August, you installed CU10 (the latest available CU in July)
- You now need to apply the latest SU that is available for Exchange Server 2019 CU10
We installed an SU for current CU last month. This month, a new SU is available for the same CU. Do we need to uninstall last month's SU before installing a newer one for the same CU?
No, uninstallation of last month's SU isn't necessary. Install this month's SU as it becomes available. Newer SU contains last month's SUs security fixes too.
SUs are always CU specific. In other words – installing a later CU requires that any SU available for that CU be installed also, no matter if the SU for the latest and previous CU were released on the same day. If there are SUs for the CU your server is running, then you should install it. SUs will typically be 'rolled into the CU' at the next subsequent CU release.
We skipped a few SUs and want to bring Exchange fully up to date to the latest SU. Do we need to install all the SUs in order to get to the latest?
Because SUs are cumulative "since the CU they're applicable to", you only need to install the latest SU. This gives you all of the security fixes released since the CU was released.
Did Microsoft change how often Exchange CUs are released?
Yes, starting with 2022 H1 Cumulative Updates, we have moved to a release cadence of two CUs per year – releasing in H1 and H2 of each calendar year, with general target release dates of March and September. But our release dates are driven by quality, so we might release updates in April or October, or some other month, depending on what we're delivering. With these service model changes, being current still means to run the latest CU or the one immediately preceding it (N or N-1), but the 'currency window' is now extended from 6 months to 1 year.
Do we need to install SUs on all Exchange Servers within our organization? What about 'Management Tools only' machines?
Our recommendation is to install Security Updates on all Exchange Servers and servers or workstations running Exchange Management Tools only, which will ensure that there's no incompatibility between management tools clients and servers. If you're trying to update the Exchange Management Tools in the environment with no running Exchange servers, see this.
We installed current CU and SU releases and are fully up to date. Is there anything else that we should do?
Depending on the particular environment, addressing certain vulnerabilities might require extra actions to be performed by the Exchange administrator. To make sure, that you have performed all of the actions necessary after relevant Security Updates were installed, run the Exchange Server Health Checker script. Ensure that you update the Windows operating system that Exchange Server is running on, as vulnerabilities in the OS can be used as a part of attack chain too.