Exchange 2010 SP3 RU15 Released


Patch Tuesday this week heralded the arrival of Rollup Update Rollup 15 (RU15) for Exchange Server 2010 Service Pack 3.  RU15 is the latest rollup of customer fixes available for Exchange Server 2010. The release contains  security fixes to address the issues in Microsoft Security Bulletin MS16-108, in addition to the previous fixes in RU14 and older.  Since security updates are delivered via a RU for Exchange 2010 and 2007, this is why a new RU was released.  Exchange 2013 and 2016 have a different release model, where security updates are decoupled from the standard cumulative updates.

To fix the issues on Exchange 2007, SP3 RU21 was released for that version of Exchange.  Separate security updates are available for supported versions of Exchange 2013 and 2016, and are linked from the security bulletin.

Exchange 2010 SP3 RU15 Download

This is build 14.03.0319.002 of Exchange 2010, and KB 3184728 has the full details for the release.  The update file name is Exchange2010-KB3184728-x64-en.msp.

Note that this is only for the Service Pack 3 branch of Exchange 2010.  Why?  Exchange 2010 SP2 exited out of support on the 8th of April 2014 and will no longer receive updates.  Customer must be on Exchange 2010 SP3 to receive updates.

Also note that Exchange 2010 transitioned into its Extended product support lifecycle phase on the 13th of January 2015.  Exchange 2010 will now be serviced as per the extended support policy.

 

Issues Resolved

This RU contains the security fixes as listed in MS16-108

The below contain the details behind the issues:

Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0138

Microsoft Exchange Open Redirect Vulnerability - CVE-2016-3378

Microsoft Exchange Elevation of Privilege Vulnerability - CVE-2016-3379

 

Important Notes

The below are the normal notes to consider before deploying an Exchange RU.  In this case, the below must also be tempered with the fact that there are security fixes.

There are a couple of items to mention:

  • Test the update in your lab before installing in production.  If in doubt test…
  • Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment.  This includes archive, mobility and management services.
  • Ensure that you do not forget to install updates on management servers, jump servers/workstations and application servers where the management tools were installed for an application.  FIM and 3rd party user provisioning solutions are examples of the latter.
  • If the Exchange server does not have Internet connectivity then this introduces significant delay in building the Native images for the .Net assemblies as the server is unable to get to http://crl.microsoft.com.  To resolve this issue, follow these steps:
    1. On the Tools menu in Windows Internet Explorer, click Internet Options, and then click the Advanced tab.
    2. In the Security section, click to clear the Check for publisher’s certificate revocation check box, and then click OK.

    We recommend that you clear this security option in Internet Explorer only if the computer is in a tightly controlled environment. When setup is complete, click to select the Check for publisher’s certificate revocation check box again.

  • Install the update from an elevated command prompt
  • Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  See KB981474.
  • Update Internet facing CAS servers first
  • Backup any OWA customisations as they will be removed
  • Uninstall any Interim Updates (IUs) before installing the RU.  You will have received these private files directly from Microsoft.
  • Disable file system antivirus prior to installing the RU.
  • Restart server after RU has been installed and then re-enable file system antivirus
  • Test (yes, technically this is in here for a second time but it is very important!)

 

Cheers,

Rhoderick

Comments (20)

  1. Janice says:

    Hi, Can i apply RU15 directly without applying RU14?

      1. Sahayarajan Subramani says:

        Hi This is Saha from India,

        We tried to install the Exchange RU 15 updates, while installing we are getting the below error screenshot.

        Windows Installer Stopped working.

  2. Nurus Chowdhury says:

    Hi, have you had any reports about autodisover not working for Outlook 2011 users? After installing RU15 it seems Outlook 2011 is unable to use this service. All other clients, Outlook 2010, 2013, and 2016 (mac and Windows), are working fine.

    1. Personally, no - have not seen/heard of that Nurus.

      If this is a production issue please open up a case so we can work on it.

      Cheers,
      Rhoderick

      1. Nurus Chowdhury says:

        Thank you Rhoderick, what's the best way to create a support ticket, through the general support site?

  3. Tara says:

    Hi, I need to update Exchange 2010 SP3 RU9 , can I go directly to RU15? The Execution Policy KB says Remote Execution must be undefined for RU1 and RU2, is this still necessary for RU15 install?

    Thank you

    1. Yes - you can go straight to RU15 from RU9.

      Regarding the execution policy, that should still apply. Do not recall that it was amended.

      Cheers,
      Rhoderick

  4. Chris says:

    Ive applied RU15 to 5 CAS/HT servers. All but one server functions perfectly. The one CAS/HT server will not open EMC. EMS will open but connect to other CAS servers.
    Crashes with event id 1023:.NET Runtime version 2.0.50727.5485 - Fatal Execution Engine Error (000007FEF8B65DE9) (80131506)
    and then event id: 1000 Faulting application name: mmc.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc808
    Faulting module name: mscorwks.dll, version: 2.0.50727.5485, time stamp: 0x53a11d6c
    Exception code: 0x80131506
    Fault offset: 0x00000000004b5de9
    Faulting process id: 0x%9

    SFC check with no errors.
    No other windows updates installed at the time of RU15 installed.

    1. Good call on SFC, would have asked about that.

      Seems similar to some previous .NET issues.

      Please verify the exact builds and patch levels for all .NET on that box.

      previous issues were related to
      https://support.microsoft.com/en-us/kb/2540222

      Cheers,
      Rhoderick

  5. Piotr says:

    We have upgraded to Exchange SP3 RU15 and few users reported the issue from 2012 (meeting attendee becomes the organizer) - https://www.engadget.com/2012/10/04/exchange-ios-meeting-hijack-history-goes-back-well-before-ios/

    Did anyone notice this issue again?

  6. bladley says:

    Is there a package that allows for SP3 to be applied with RU15 included or is a 2 step process; SP3 upgrade and then RUx?

    1. Two step process. Though you can automate this a little with the updates folder.
      https://technet.microsoft.com/en-us/library/ff637981(v=exchg.141).aspx

      Exchange 2013 onwards use Cumulative Updates, which are cumulative....
      Hence the name

      Cheers,
      Rhoderick

  7. sebastian baca says:

    My exchange 2010 is currently on 10. I need to update. Can I go directly to 15 or should I apply all CU in between?

    1. Direct- just like the comments above Sebastian

      Cheers,
      Rhoderick

  8. Bruce says:

    I applied SP3 then RU 15 to my on premise exchange 2010, now the default user limited access is not working. Users cannot view shared calendar free/busy. If I set default user access to any other setting everything works. Any idea what is causing this?
    Also I no longer have access to my RBAC account

    1. I'd get a support case goign Bruce - multiple things are going on here.

      Cheers,
      Rhoderick

  9. Taufeeq Nabi says:

    Hi,

    We just on boarded a client whose has just base install of Exchange Server 2010 SP3. No rollups applied. Can we go directly to Update 15? If not can you please provide the upgrade path to take.

    Cheers
    Taufeeq

    1. Hi Taufeeg,

      Glad that their servers are finally getting some patching TLC. So very overdue....

      Yes - you can go direct to SP3 RU15.

      Cheers,
      Rhoderick

      1. Taufeeq Nabi says:

        Thanks Rhoderick.
        Much Appreciated

Skip to main content