Update Rollup 3 for Exchange Server 2007 SP1 and Update Rollup 7 for Exchange 2007 RTM have been released


EDIT 8/22/2008: We have updated the troubleshooting section.

Download information for Update Rollup 3 for Exchange 2007 SP1

The update is live at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=63E7F26C-92A8-4264-882D-F96B348C96AB&displaylang=en

Related KB article:
http://support.microsoft.com/?kbid=949870

Download information for Update Rollup 7 for Exchange 2007 RTM

The update is live at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=086A2A13-A1DE-4B1D-BD12-B148BFD2DAFA&displaylang=en

Related KB article:
http://support.microsoft.com/?kbid=953469

The above update Rollups will also be released to Microsoft update.

Fixes for security issue detailed in MS08-039

A security issue has been identified in Exchange Server 2007 as documented in http://www.microsoft.com/technet/security/bulletin/MS08-039.mspx.

  • Customers running Exchange Server 2007 RTM need to apply Update Rollup 7 for Exchange 2007 RTM to address the security issue.
  • Customers running Exchange Server 2007 SP1 need to apply Update Rollup 3 for Exchange 2007 SP1 to address the security issue.

Rollup installation troubleshooting

Seeing that those Rollups contain security fixes, we expect that a lot of people will be applying them. There are a few possible issues that we would like you to be aware of:

  • Exchange 2007 managed services might time out during certificate revocation checks
  • During the installation of the Rollup, you might encounter a message that you have to wait until the disk space calculation is completed. This message will clear by itself and then you will be able to proceed further. We will permanently resolve this in the future.
  • When installing a Rollup, we recommend you use the same account that you used to install Exchange Server. If you are using a different account, that account needs to have Local Administrator rights as well as rights to read Active Directory on Exchange object as well as server level (as the update needs to determine which roles are installed on the server). Not having required permissions can lead to OWA not being updated correctly and displaying a blank page after update has completed.
  • If you have modified the logon.aspx file, it will not be patched by the Update Rollup installer. As a result Outlook Web Access may not be updated correctly and it may display a blank page after the update has finished. In order to avoid this problem, rename the logon.aspx file before applying the update rollup. After you apply an update rollup package, you must re-create Outlook Web Access customization in logon.aspx.

Nino Bilic


Share this post :

Comments (69)
  1. Ed Haszard Morris says:

    Is Update Rollup 2 a prerequisite for this?

    To clarify, does Update Rollup 3 include the fixes from previous Update Rollups?

  2. Exchange says:

    Ed,

    Out rollups are cumulative. In case of RU3 for SP1, this is what we say on the download page:

    This is a cumulative update rollup and replaces the following:

    KB945684 Update Rollup 1 for Exchange Server 2007 Service Pack 1 (KB945684)

    KB948016 Update Rollup 2 for Exchange Server 2007 Service Pack 1 (KB948016)

  3. Robert says:

    Got bit by the time out bug I think – Transport Service would not start – uncool Microsoft – but at least it was a known issue.

  4. Robert says:

    Suggestion:  When the Exchange update/rollup finishes and turns back on all the services, if any fail to start (that were working prior), the rollup should advise the admin of such – I only realized the Transport Service failure after nags from my users.

  5. Nathan says:

    Do I have to remove All the previous Rollups before I install Rollup 7? It’s mentioned on all the info but I can’t even see the previous rollups listed under add/remove programs so how can I remove them first?

  6. Just like SP’s, you do not have to remove a rollup to install the newer rollup.

  7. Exchange says:

    Nathan – as Derek mentioned, you do not need to remove previous rollups, no…

    You might be confused by the wording that talks about "removing interim updates" though. An interim update is an update that we might release for things that we had support cases on and certain customers hitting this might contact us and get a fix for that single specific issue. So it is not a rollup, it is an "interim" fix that goes between rollups really. Those are what should be removed, not rollups. So unless you actually had an interim fix from us – don’t worry about it.

  8. Scott McNulty says:

    I wish I had read this before I applied the roll up! :)

    We are experiencing the third problem in your troubleshooting section.  Any ideas on how to fix this?  Should I uninstall and re-install the patch (using a different account of course)?

  9. Exchange says:

    Scott McNulty – yeah, that should do it…

  10. Steve says:

    With the rollup installed, we had the application pool crash constantly for the exchange directory under IIS. This was caused by Entourage users. We also got errors about EXPROX

    Because of the legacy way Entourage is connected, it requires basic authentication on the back and front end servers for the legacy connection. The hub/transport and mailstore servers complained about this withthe rollup installed. Setting Windows integrated did not solve the problem at all by the way, infact it broke Entourage.

    The only way to solve this was to back out the rollup.

    I hope a fix is done or webdav is finally retired from Entourage once and for all.

  11. Exchange says:

    Steve,

    If possible, please open a support case on this! I do not think we have seen this yet… If it is a bug, our policy is that you’ll get a refund, but we need to get some crash information to fix this…

  12. Steve says:

    Seems you guys are trying to force integrated authentication across the front and back servers on the legacy iis connectors that are used entourage (exchange). webdav really is not working on this and rpc over http should be added in to the mac clients

    Right now entourage must use basic authentication over encapsulated ssl. This directly conflicts (I believe) with what is trying to be accomplished with the rollup

    Either way I will open a support case tomorrow on this

  13. tony roth says:

    hey I applied the patch because we had the 1st problem in your list of issues (notes rooms f/b stuff) but since then I can’t the excalcon process to talk to the exchange server get error 1753 any ideas?

    thanks

    tr

  14. Sean van Osnabrugge says:

    Why have the last 3 rollups (since release of SP1) not been incrementing the version number in AD?  serialNumber of the server object in the configuration partition.

    This is causing serious issues when doing a setup.com /recovercms which is required for recovering a cluster in an SCR scenario.

    Has anyone else experienced this issue?  What solutions do people have other than changing the serialNumber in AD?

  15. Scott Roberts (Exchange) says:

    Sean…

    Your issue is actually a pre-req BPA check that we have an open case on.

  16. den says:

    Do not startup any exchange service after applied Update Rollup 3.

  17. JohnD says:

    On my HUB server none of these service will start after installing RU3

    anti-spam, edgesync, Transport en Transport Log Search.

    Not even after a reboot, not even manually.

  18. den Dave says:

    Well same here!!

    Just installed rollup 3 on two HUB/CAS servers and one node of CCR cluster.

    All Exchange services try to start but timeout on the service –> did not respond in a timely fashion.

    Any help would be welcome

  19. Exchange says:

    johnd and den Dave: did you try the .config file workaround?

  20. jerry says:

    I had the rollup installed silently.  but it caused boot up errors, when win2K3 is loading it gets stuck @ "loading computer profile" and stays there for about 10-15 mins, after i got it to boot i could not get the services to start.  i tried the ServiceControl.ps1 AfterPatch command, and still no start of services.  so i decided to reinstall the rollup manually.  its been @ "Creating native images for .net assembles.  this process may take an extended period of time." for about an hour now.  How long should i wait for this process to complete?

  21. jerry says:

    Roll up 3 seems to have now installed fine, with a wait about 2 hours, but my services will still not start.  i did complete the ServiceControl.ps1 AfterPatch command.  any suggestions?

  22. I am receiving an error. Transport Service could not start says:

    Transport Service Failes to start and will not start when trying to manually.

  23. Jeff25 says:

    After installing this update ALL of our Exchange services (including www, https, iis admin) were disabled. After setting them all back to automatic/manual OWA no longer works.

    Thanks!

  24. Jane says:

    Using the same account as Exchange 2007 was installed with and having good Internet connectivity (from server fast connection to http://crl.microsoft.com/pki/crl/products/CSPCA.crl) after the rollup 3 was installed we had similar problems – Exchange services would not start.  Un-installed the rollup.  The server is a CAS/HUB role server.  While we had rollup 1 on it we did not have rollup 2.  It is now back to rollup 1.  No interm hotfixes were on the server.

    Have not yet tried the config file changes for the "Certificate revocation checks".  Double checked that we had good internet connectivity to http://crl.microsoft.com/pki/crl/products/CSPCA.crl.  

  25. den Dave says:

    Today I tried the .config workaround.

    Since my servers were already at .Net 2.0.50727 I didn’t have to apply to hotfix.

    Went to BIN or CLIENTACCESS directory and altered all Exchange related config files:

    BinEdgeTransport.exe.config

    BinExBPA.exe.config

    BinExBPACmd.exe.config

    BinExTRA.exe.config

    BinMicrosoft.Exchange.Cluster.ReplayService.exe.config

    BinMicrosoft.Exchange.EdgeSyncSvc.exe.config

    BinMicrosoft.Exchange.Monitoring.exe.config

    BinMicrosoft.Exchange.Search.ExSearch.exe.config

    BinMicrosoft.Exchange.ServiceHost.exe.config

    BinMSExchangeMailboxAssistants.exe.config

    BinMSExchangeMailSubmission.exe.config

    BinMSExchangeTransportLogSearch.exe.config

    ClientAccessPopImapMicrosoft.Exchange.Imap4.Exe.config

    ClientAccessPopImapMicrosoft.Exchange.Pop3.Exe.config

    Where necessary I created the additional config files:

    BinMicrosoft.Exchange.AntispamUpdateSvc.exe.config

    BinMsExchangeFDS.exe.config

    BinMSExchangeTransport.exe.config

    Added

    <generatePublisherEvidence enabled="false"/>

    to each .config file

    OR if the files did not exist, created these files with following content

    <configuration>

     <runtime>

             <generatePublisherEvidence enabled="false"/>

     </runtime>

    </configuration>

    Typically a .config file has to be changed or created for each installed Exchange 2007 Service.

    Thanks for the tip!! I’m happy it worked!!

    Hopefully the next update or rollup will fix this…

  26. Exchange says:

    Sean van Osnabrugge – we know of this problem but do not have a fix yet. The way to work around it is to remove the UR, run /recoverCMS, and then re-apply the UR once the CMS is back and running.

  27. den Dave says:

    Already had .NET 2.0.50727, so hotfrix was not needed.

    Adapted the .config files and I was able to start the services again.

    Thanks!

  28. JohnD says:

    This solved my problem!

    We are using a proxy server, with authentication, so the update could not reach the CSPCA.crl file! I bypassed the proxy and bingo!

    I hope this can be af any help to others.

    http://support.microsoft.com/kb/944752/

    CAUSE

    This problem occurs because the affected computer cannot reach the following Microsoft Web site:

    http://crl.microsoft.com/pki/crl/products/CSPCA.crl (http://crl.microsoft.com/pki/crl/products/CSPCA.crl)

    John

  29. Aaron J says:

    Has anyone deployed Rollup3 without any problems? :)

  30. SteveH says:

    For us the problem was that email would sit in Outlook users’ Outboxes and OWA users’ Drafts folders for 30 minutes to a hour or more before finally getting sent. Seven hours on the phone with MS tech support and we couldn’t find a cause. We ended up uninstalling Rollup 3 and mail started flowing again. However, now my Apple Mail client cannot connect. (Log in rejected by IMAP4) Oddly enough, the Apple Mail client was the only client in the office that experienced no delays while Rollup 3 was installed. Other than that, installing Rollup 3 fixed everything.

  31. ArunMysore says:

    I faced this specific issue with Update Rollup 3 for E2K7 SP1: After applying the Rollup on CAS server role, the "Microsoft Exchange File Distribution" & "Microsoft Exchange Service Host" services fails to start. I failed to understand what could have caused this issue but however I finally did find some workaround to resolve the issue.

  32. mike says:

    Since this is some kind of MS Blog or people who worked/work for Exchange even as VMP. Could someone state if it’s a good idea to install the Update Rollup 3 (For SP1) with all the problems or glithces mentioned here.

    1) Some Service does no restarte after update

    2) HOTFXIES between the major Rollup have to be deinstalled

    3) There is some kind of licence server which has to be connected trough or without proxy.

    If you have CAS and HUB-MAILBOX. In wich order should the Patch be applyed?

    Does this rollup fix any issues in terms of cpu store.exe around 99% while users logon/Logoff with Outlook fatclient? (Mixed mode with Exchange 2003)

    Any others issues or important things to take care of?

    Thanks in advance.

  33. Ray Avila says:

    I’m with Mike. Was this a good idea?  For us……no.  To bad I’m responding after RU 3 removal. By the way we had no problem getting the revocation list.  The services failed to start and threw nothing but generic errors. I will say, however, KB944752 has an interesting title.

  34. Exchange says:

    Mike,

    Seeing that this specific rollup does have security fixes – we definitely recommend that people install it on their servers, yes. There are some "known issues" as we call them, and we have tried to be as clear about them in this post as possible. The situation is not ideal for sure, but we are working to have this resolved in the future in many respects that are not great today.

    To address your last question – I am not aware of a specific case of 100% CPU utilization that this fixes… in fact I would really suggest that if you are seeing this – you should call into your support line. We refund the incident case if this is a bug…

  35. Felix B says:

    I had the rollup come up in the Windows Server 2008 updates. I accepted the install via Windows Update. After the reboot for the windows updates I found that OWA was no longer running (blank), as stated in the blog message.

    I have now re-installed the rollup using my admin account and "Run As Admin" and everything is fine again.

    It would be nice if MS would NOT push rollups via Windows Updates, if they don’t install properly…

  36. Dvord says:

    Well I tried this rollup, and it hung almost immediately after starting.

    STORE hung and wouldn’t shut down.  Neither did MAD.  I ended them manually in Processes after failing to do anything for about 5 minutes.  

    The rollup then completed.  After an 11 minute reboot everything appears ok, but I will have to wait until tomorrow to see if my Entourage clients are hamstrung or not.

  37. Eric H. says:

    I installed rollup 3 last night, but there is no indication anywhere that it was installed. The only location is in the Application Log. We are running Server 2008, the Rollup 3 isn’t listed in the Programs and Features.

    When I run the "get-exchangeserver | select admindisplayversion" the build number hasn’t changed. Is this by design? Short of documentation, how do you keep track of which rollup has been installed?

  38. dvord says:

    To add to my previous entry:

    My Entourage clients had no problem connecting the next morning.

  39. Ron W. says:

    This seems trivial compared to all the other issues but I have another. Backup Exec won’t work because version #s don’t match between the backup server and the exchange server. I’ve installed rollup 3 to both machines but the 32 bit is the only version # that changed.

  40. dvord says:

    Interesting Ron.  I am using Backup Exec 11D on a 32-bit 2003 machine.  I back up the 64-bit Exchange box over the wire, and Thursday night’s backup went without a hitch.  

    My backup box has a pre-SP1 copy of 32-bit Exchange so I know the version numbers aren’t even close.

    I do have an Exchange agent installed on the Exchange box, perhaps I don’t need Exchange on the backup server at all in that case.

    I’d mess with it, but it works.  ;-)

  41. Sean van Osnabrugge says:

    Ok, so UR3 installs fine on all our servers in our DEV environment, but come time to patching PROD…well, it breaks our HUB servers like many people have posted.  I have to say this is a very inconsistent patch.

    One individual changed the service to logon as Local System, but I’ve confirmed that the service was set to logon as the local Network Service account prior to the installation of the patch.  I would change the logon method, but I’m afraid of the consequences
    that much ensue from doing so (especially since our DEV environment did not require such a change):

    http://forums.msexchange.org/m_1800480695/mpage_1/key_/tm.htm#1800480729

    Has anyone discovered why this is occuring?  Any solutions besides changing the account which the service logs on as?

  42. Jane says:

    Followup to my notes on July 13 in case others having similar issues: All E2k7 SP1 servers now updated ok to Rollup 3.  Despite tested fast access to http://crl.microsoft.com/pki/crl/products/CSPCA.crl we had to use the .config fixes, including ClientAccessPopImapMicrosoft.Exchange.Imap4Service.Exe  and ClientAccessPopImapMicrosoft.Exchange.Pop3Service.Exe (initially I had left off the "Service" portion).

  43. I pushed the rollup to my Exchange 2007 CAS/HUB server (Windows 2008) via WSUS, and got the problems many other report here:

    – Blank OWA

    – Could not start Transport service on CAS server (I could start it if I disabled the firewall service though)

    I removed the update rollup, and installed it manually using the account with admininstrative rights. After that everything works fine.

  44. Steve from Florida says:

    Ditto here on W2K8 Hub transport servers in our QA environment … no Exchange services started properly …. I configured the servers to puch out to Internet to access the CRL site and the services still refused to start. I left the server overnite and the next morning all was ok!

    MS should pull this hotifx until the issues are resolved IMHO.

  45. MailAdmin says:

    So is the version # in EMC supposed to change from 240.6? patch applied ok on two servers but EMC reports 240.6 yet I can see that some issues are fixed so it did install something.

  46. justin says:

    Had the exact same behaviour as SteveH. Does anyone know if installing using Run As Administrator fixes these problems?

  47. Rick says:

    Has there been any issue with R3 taking several hours to install?

  48. I am publishing the OWA site (from my CAS which is separated from my MBX), to the Internet through a ISA 2006 SP1 machine. The OWA publishing rule worked just fine before installing Rollup3. After installation of Rollup3, OWA is not accessible externally through ISA anymore (OWA access from the LAN still works).

    Logging in ISA 2006 shows that all http requests coming to the OWA site from the publishing rule, now receive a "301 Permanently Moved" response.

    Uninstalled the rollup from my CAS, things started working again. Installed it again, same problem. I have decided not to install this rollup on my servers for now.

    Has anybody seen this?

  49. Malik says:

    Can someone post a URL for the .config fix that is referred to in the comments?  Also, can anyone outline the usefulness of the .config fix – especially since it isn’t necessary in some instances.

  50. Lyle Epstein says:

    Installed update rollup 3 today, after rebooting, got OWA blank screen and an error is IE. If you look at details, it shows:

    Line: 7
    Char: 1
    Error: Syntax error
    Code: 0
    URL:
    https://email/owa/auth/logon.aspzx?url-https://email/owa&reason=0

    troubleshooted for a while and ended up calling Microsoft PSS XCSI team. We removed the rollup and the problem went away. Rebooted &  Reinstalled rollup and OWA is working fine now. I just wish it didn’t take 3 hours for me to figure out this might be the solution
    and PSS still wondering why this fixed it.
    If anyone wants a log file to help figure it out, let me know.

  51. D Sproule says:

    I installed rollup 3 in our test hyper v environment after manually testing link to http://crl.microsoft.com/pki/crl/products/CSPCA.crl.  which worked fine.

    Rebooted services would not start reverted to previuos snapshot

    used proxycfg in c:windowssystem32 to configure proxy settings installed rollup and then rebooted all services now start fine.

  52. JScott2 says:

    I’ve installed rollup3 on several of my servers, however, on one of them it does not show up in add/remove programs, how can I verify the install?

  53. guy says:

    I am trying to install rollup 3 on a 64 bit Server 2003 that has only EMC installed.

    It is currently updated with SP1 rollup 2.

    When I run setup I get the following error:

    The installer has insufficient priviliges to modify this file: C:Program FilesMicrosoftExchange ServerRelNotes.htm.

    Any ideas anyone?

  54. guy says:

    I resolved this.

    I opened up a CMD window as an Administrator (I am logged on as one), and launched the rollup from the CMD window, and it installed fine.

    The weird thing is that when I tried running the rollup directly, UAC did not ask me for confirmation…

    Thanks anyway.

    Guy

  55. Garry Trinder says:

    Hi!

    Since we’re currently encountering tons of problems because of the .NET-Phone-Home-Bug, we decided to create a DNS Domain with a single A-record called crl.microsoft.com. Pointing to 127.0.0.1.

    All problems (Exchange, Navision, BizTalk, …) disappeared.

    PS – Setting the service timeout to 180000 (!) didn’t help. Touching many .config files (most of them I’m not even aware of) is no fun either (or do you know all .NET executables in BizTalk?). Changing a registry key to a value without any recomendation from M$ (http://support.microsoft.com/kb/944752, Method 2: Configure the URL retrieval time-out values) – hm.

    Boys, there’s some place for improvements.

  56. ExchAdmGer says:

    Hi Folks,

    i tried to install UR 3 on our Exchange 2007 SP1 Server. Well, Services started but OWA page was blank. The account i used was not the original one but a Domain Admin one. After uninstalling it and installing it with the original one everything was fine. My question is if this going to be fixed in further UR or will it be a prerequisite? If so can you please more specific which rights the account needs in order to install the UR correctly without any problems?

    Another problem is the the nged process is still with low prority and therefore it takes an awful long time to install the UR’s :(( Please change this!

    Thanks anyway

    Robert

  57. NikonMan Florida says:

    FYI:

    PSS advised that there may be a revised hotfix rollup to address the dial-home issue as the current workarounds are cumbersome and unacceptable.

    >>> Can this be verified by the Exchange product team? <<<

    I think we all would like some guidance as to to how to move forward, especially if future rollups are going to have the same issue, etc.

    Thanks!

  58. Joey says:

    Well I have tried installing this twice, once via WSUS and once from the download with the same user I installed exchange as, with the same results. By the way this happens just on the CAS. My mailbox/hub server is working just fine. Whats really curious is that ActiveSync functions, just not OWA via the /Exchange or /Owa virtual directories. Glad to hear MS is going to be fixing this update.

  59. Matt says:

    Same problem here.

    UR was installed via WSUS the first time but services started normal. But OWA didn’t work so I installed it again manually with the same user as I installed Exchange. No success. So I uninstalled the UR and restarted the servers. But OWA is still broken.

    any advice would be highly appreciated!

  60. John Stacey says:

    The problem I had is once the rollup had been installed (and presumably failed as several services failed to start) no amount of program removal, config fixes or anything else would get the services ot autostart, they’d start manually with no problem but I find that less than acceptable.

    In the end as this server is a hardware replacement and had no actual mail on it (other than a few test accounts) I redid it from scratch (Windows install included). Ran the rollup with a VPN to the outside world running and everything seems perfect.

    I have no problem doing this but I find it hard to believe MS genuinely expect a mail server to have direct access to the internet.

  61. Chris Green says:

    So I’ve been watching this posting hoping for another update but there has been none.  I reviewed this when Roll up 3 broke all of our Entourage users.  We are a single server environment so we aren’t having Front End/Back End issues.  I’ve had a support ticket open with MS for over two weeks now and they can’t find the problem.  Entourage users cannot sync folders with more than 140ish items in them.  The server response to the SEARCH command just dies.  Since RU3 caused it but it did not go away removing it they seem to be stuck with no idea how to address it.  All I know is that they’ve said we are not th only company having the issue and the support team members are "dedicated" to the issue.  I would love to know that some of the core Exchange team was aware of the issue.  Ticket is SRX080725601293.  

  62. Tobias Roedig says:

    We have the same issue with the blank OWA after updating. Is there any solution without a complete/partial re-install?

    Thanks!

  63. lambypie says:

    Its a silly question I know but are there any special instructions for installing the roll up pack 3 on a 2 node cluster. I know it should be passive node first is that correct? Does MS have any instructions as per SP1 for clusters?

  64. jkalinowski says:

    Is there a way you can verify what account was used to install Exchange originally?  I’d rather verify that guess on my inherited system.  Thanks.

  65. khiko says:

    installed rolup 3 and encountered the issues stated above. i was able to get the services working again but owa is coming up as a blank page….(i installed it under a doamin admin account). aslo i cant seem to find the uninstall option for this update via add/remove program???? like scott issue

  66. Jose Meza says:

    I have exchange 2007 sp1 + forefront, 2 days ago RU3 was installed and got the same problem, i noticed that all the msgs . remain in the submission queue.

    Uninstalled RU3, set the MS Exchange Transport to Network Service as explained here http://support.microsoft.com/kb/934286/en-us

    before reinstalling RU3 all Exchange services (and forefront services in my case) must be stopped. Everythings goes OK now.

  67. Joey – same issue here, were you able to resolve the issue? Thanks,

    Luke

  68. khiko says:

    i got OWA working. i’ve got an idea from http://www.sch0.org/index.php/2008/07/14/exchange-2007-sp1-rollup-3-owa-blank-pag

    Rollup 3 uninstall option is still not showing under add/remove programs. i would not be proceeding with the update for our 3 other servers for now until Microsoft release a patch or fix for this update …

  69. khiko says:

    my bad :) rollup 3 uninstall option is actually on the add/remove programs…just need to check "show updates".

Comments are closed.

Skip to main content