Microsoft has released Security Updates (SUs) for vulnerabilities found in:
Exchange Server 2013
Exchange Server 2016
Exchange Server 2019
SUs are available in a self-extracting auto-elev...
Updated Oct 11, 2022
Version 2.0
Blog Post
Nino_Bilic
Microsoft
MicrosoftDavid_Patterson Relevant update KB articles list and link to what is addressed in October SUs. Re-release of CVEs was not the only thing in October SUs.
Note though: you are making an assumption that every fix in the update will have a CVE associated with it; that is not the case (and never was). CVEs are for publicly known / disclosed vulnerabilities. We might at any time release security updates with fixes that were never publicly disclosed (for example, they were not reported to us but we found them internally and just addressed them).
Our recommendation about security updates is: install them when we release them. If there are things like urgent fixes, then we will obviously communicate it as such (or release out of band) and in those cases, there will more than likely be CVEs and possibly other thing to reference. But realize that even smaller things that might not appear as big or publicly discussed issues today, can possibly be used as a part of the attack chain few months from now.
I recommend a simple approach: see a security update? Install it. See an urgent one? Install it urgently.