Home
Microsoft

Update 8/14/13: Due to an issue with the Exchange 2013 Security Update installation process, the Exchange 2013 updates have been removed from the Download Center. For more information, please see Exchange 2013 Security Update MS13-061 Status Update.

Today, Exchange Servicing released several updates for the Exchange product line to the Download Center:

  • Update Rollup 11 for Exchange Server 2007 SP3
  • Update Rollup 7 for Exchange Server 2010 SP2
  • Update Rollup 2 for Exchange Server 2010 SP3
  • Exchange Server 2013 RTM CU1 MSRC Security bulletin MS13-061
  • Exchange Server 2013 RTM CU2 MSRC Security bulletin MS13-061

Note: Some of the following KB articles may not be available at the time of this article’s publishing.

Exchange 2007 Rollups

The Exchange 2007 SP3 RU11 update contains two fixes in addition to the changes for MS13-061. For more details, including a list of fixes included in this update, see KB 2873746 and the MS13-061 security bulletin. We would like to specifically call out the following fixes which are included in this release:

  • 2688667 W3wp.exe consumes excessive CPU resources on Exchange Client Access servers when users open recurring calendar items in mailboxes by using OWA or EWS
  • 2852663 The last public folder database on Exchange 2007 cannot be removed after migrating to Exchange 2013 

Exchange 2010 Rollups

The Exchange 2010 SP2 RU7 update contains the changes for MS13-061.  For more details, see the MS13-061 security bulletin.

The Exchange 2010 SP3 RU2 update contains fixes for a number of customer-reported and internally found issues, as well as, the changes for MS13-061. For more details, including a list of fixes included in this update, see KB 2866475 and the MS13-061 security bulletin. We would like to specifically call out the following fixes which are included in this release:

  • 2861118 W3wp.exe process for the MSExchangeSyncAppPool application pool crashes in an Exchange Server 2010 SP2 or SP3 environment
  • 2851419 Slow performance in some databases after Exchange Server 2010 is running continuously for at least 23 days
  • 2859596 Event ID 4999 when you use a disclaimer transport rule in an environment that has Update Rollup 1 for Exchange Server 2010 SP3 installed
  • 2873477 All messages are stamped by MRM if a deletion tag in a retention policy is configured in an Exchange Server 2010 environment
  • 2860037 iOS devices cannot synchronize mailboxes in an Exchange Server 2010 environment
  • 2854564 Messaging Records Management 2.0 policy can't be applied in an Exchange Server 2010 environment

Exchange Server 2013

MS13-061 is the first security update released for Exchange Server 2013 utilizing the new servicing model.  MS13-061 is available as a security update for:

Important: If you have previously deployed CU2, you must ensure you are running build 712.24 in order to apply the security update. For more information about build 712.24, please see Now Available: Updated Release of Exchange 2013 RTM CU2.

Ross Smith IV
Principal Program Manager
Exchange Customer Experience

90 Comments
Not applicable

Does this include the GetRoomLists fix that utilized NSPI when no Room Lists were defined?

Not applicable

Once again, please stop Security Updates for Exchange 2010 through URs!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Not applicable

@juergen, the established servicing model will continue for the remainder of Exchange 2007 and Exchange 2010's product support lifecycle. We heard the feedback and were able to update Exchange 2013's servicing model to allow us to ship individual security updates, as we have just done here for the first time.

Not applicable

does this correct the signature bug from RU1?

--Tracy

Not applicable

@Casey Tomlinson - We did address an issue with GetRoomList to scope the recipient session using the user's Address list as opposed to the global scope which resulted in high CPU load on AD servers.

Ross

Not applicable

@Tracy, yes please refer to the whole list for 2010 SP3 RU2 referred above, support.microsoft.com . That should then link to KB2859596 which I believe is the item you are asking about.

Not applicable

Brian, are these CU's/RU's getting tested? It appears that new bugs are created with each new fix. We are almost better off not apply the fixes. Any comments?

Not applicable

@Steve, no we blindly release code and let you test it for us. ;) j/k I will defer to the last few Q&A bullets in Ross' previous article here for commentary on testing. Short answer is, absolutely we do. blogs.technet.com/.../e2013-rtm-cu2-issue-public-folder-permissions-loss-after-pf-mailbox-move.aspx

Not applicable

@Ross / Brian,

Is this Update Rollup 2 for Exchange 2010 SP3 fixes an issue with Archive mailbox appearance in Outlook (where both Online Archive and Regular mailbox names appear as same)?

Thanks!

Not applicable

@Sadda - yes we did introduce a fix for E2010 SP3 RU2 that addresses the issue where delegate archive show the name of the primary mailbox owner.  However, a client side fix is also required, but I don't have information on when that is shipping.  

Not applicable

@Ross,

Thanks for your confirmation.

Not applicable

When attempting to install this update I receive "The feature you are trying to use is on a network resource that is unavailable." When I browse for the resource it is looking for exchangeserver.msi. Ideas? Exchange 2010 SP31RU1 upgrade.

Not applicable

Exchange 2010 SP3 has ActiveSync redirection issue.  Looks like SP3 RU2 doesn't fix it.  When will it be fixed?

Not applicable

@Tim - yes we did address the issue where EAS devices would get a 403 response instead of being proxied.   However, not all EAS devices will get a redirect.  We are now targeting a known list of supported devices for redirection.  All other devices will be proxied.

Not applicable

there should be a fix in Ru2 for Exch2010 Sp3 that addresses a problem with granting folder permissions to mail-enabled security groups in a ressource forrest deployment that is not working. What's about that?

Not applicable

@Chris, you'll have to provide additional information. Perhaps a case # for us to refer back to.

Not applicable

In our environment installing the rollup hangs at the 'copying files' stage. It continues to about 50% and then stalls. I left it there for an hour, but it doesn't continue. Taskmanager also doesn't show any processes using CPU. No virusscanner is installed on the server.

Not applicable

Addition: it appears no files have been actually copied yet in the 'copying new files' stage. Most recent files in the V14bin folder have a date of 17-4-2013.

Not applicable

Forgot to mention in previous posts:  Exchange 2010 SP3 RU2

Not applicable

You can contact me at sbradcpa-at-msmvps.com(change the -at- to @) if you need to

Fellow SBS mvp Tero Leskinen patching a SBS 2011 (Exchange 2010 sp3 ur2) also reports that he got a prompt for exchangeserver.msi during the install as well.

Not applicable

Small question - Why are the file names of the security update for Exchange 2013 CU1 and CU2 identical? People may be under the assumption they're identical (they aren't)

Not applicable

@Susan: I didn't get that prompt, it just sits there (I didn't use the windows update setup, but downloaded the standalone setup).

However, I've my server up and running again. I took the plunge and killed the MSIEXEC process (cancel in the setup window didn't work). I reverted the services that were set to disabled back to their original value and Exchange started fine again and outlook is able to connect. Fingers crossed and I will open a support case tomorrow on why this is happening.

Not applicable

Installed this updated on 2 servers running Exchange 2013 CU1 and in both instances the updated remove the Microsoft Exchange Search Host Controller and replaced it with a service called Host Controller for Exchange which does not start. I removed the server from the DAG, removed the MBX role and then reinstalled Exchange CU1. I then reapplied the update to confirm and in this instance as well, the service was removed.

Not applicable

(updated)

Installed this updated on 2 servers running Exchange 2013 CU1 and in both instances the update removed the Microsoft Exchange Search Host Controller and replaced it with a service called Host Controller for Exchange which does not start. I removed the server from the DAG, removed the MBX role and then reinstalled Exchange CU1. I then reapplied the update to confirm and in this instance as well, the service was removed.

Not applicable

After updating Exchange 2010 SP3 RU2 from Exchange 2010 SP3 on Windows 2008 R2, the MS Exchange information store service is not started and the following event log error occurs.  Is it a known issue?  When I restarts MS Exchange AD topology services, all Exchange services are back to normal. Thanks!

Log Name:      Application

Source:        MSExchangeIS

Date:          13/08/2013 10:45:22 PM

Event ID:      5003

Task Category: General

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      VDEV-MAILEX02.ohhllpdev.com

Description:

Unable to initialize the Information Store service because the clocks on the client and server are skewed. This may be caused by a time change either on the client or on the server, and may require a restart of that computer. Verify that your domain is correctly configured and  is currently online.

Event Xml:

<Event xmlns="schemas.microsoft.com/.../event">

 <System>

   <Provider Name="MSExchangeIS" />

   <EventID Qualifiers="49158">5003</EventID>

   <Level>2</Level>

   <Task>6</Task>

   <Keywords>0x80000000000000</Keywords>

   <TimeCreated SystemTime="2013-08-14T02:45:22.000000000Z" />

   <EventRecordID>262097</EventRecordID>

   <Channel>Application</Channel>

   <Computer>VDEV-MAILEX02.ohhllpdev.com</Computer>

   <Security />

 </System>

 <EventData>

   <Binary>5B444941475F4354585D0000B6010000FFF01600000000000000A801000093642010000000009344201000000000937C201000000000935C201000000000936C201000000000934C2010000000001D48201000000000FD5C201000000000BD5F2010000000001D48201000000000FD5C201000000000BD5F201000000000FD79201000000000CD4A201000000000BD5F201000000000CD4A201000000000BD5F201000000000FD79201000000000FD79201000000000FD79201000000000FD79201000000000FD79201000000000FD79201000000000FD79201000000000FD79201000000000CD4A201000000000CD4A201000000000CD4A201000000000BD5F201000000000CD4A201000000000BD5F201000000000CD4A201000000000BD5F201000000000CD4A201000000000BD5F201000000000FD79201000000000CD4A201000000000BD44201000000000CD64201000000000E82D40100F010480FD79201000000000FD79201000000000FD79201000000000CD4A201000000000BD5F201000000000CD4A201000000000BD5F201000000000FD79201000000000CD4A2010000000007A68001000000000B81B40102301048040660010000000000DD4401023010480</Binary>

 </EventData>

</Event>

Not applicable

Will there be any upgrade issues going to Exchange 2013 CU3, when released if we install the security fix, ala traditional interim updates?

Not applicable

It looks like VM and ESXi time different issue. All services are back to normal after adjusting the time.

Not applicable

I was planning to implement RU2 for Exchange 2010SP3 after the holiday, but the presence of security update in RU2 cause I do not know what to do...

Not applicable

Why isn't there a seperation between fixpacks and security updates? This doesn't make sense, especially when you know that a lot of this fixpacks cause only trouble.

Not applicable

Having the same problem Mike DiVergilio mentioned above in CU2v2...

Removing the update did not fix it ... now i'm at loss ... any tips on how to fix this without reinstalling exchange on the server?

Not applicable

Hello,

I had build 712.24 on 3 servers and deployed the patch. On all 3 servers I cannot do searches anymore. Not 100 % sure its the exchange update causing this because i installed the Aug 2013 security updates at once, after that the service "host controller service for Exchange" doesn't start anymore. Is there already a fix available?

Uninstall of the exchange hotfix doesn't solve the issue.

Regards.

Not applicable

Host Controller Service won't start after Exchange 2013 security update:

I noticed that the key HKLMSOFTWAREMicrosoftSearch Foundation for ExchangeDataDirectory is empty.

If I fill it with "C:Program FilesMicrosoftExchange ServerV15BinSearchCeresHostControllerData" the service starts.

But this is only a dirty trial & error fix found by me, so take care!

Not applicable

Regarding KB, for your convenience I've created a small script which performs the workaround

eightwone.com/.../fix-for-ms13-061-breaking-exchange-2013

Not applicable

The search host controller issue has been addressed in support.microsoft.com/.../2879739

Not applicable

Is the disclaimer(transport rule) handeled in the Exchange 2010 SP3 RU2 that was a problem with Exchange 2010 SP3 RU1?

Not applicable

Having also the issue with the prompt, reffering to "exchangeserver.msi". We are running Exchange 2010 SP3, RU1. Any comment on this?

Not applicable

If you're getting a prompt for the Exchange 2010 source files you only need to extract the original setup files for that service pack (eg Exchange 2010 SP3) back to the location its prompting you for, or point the installer to another location where those files exist.

Not applicable

If you're getting a prompt for the Exchange 2010 source files you only need to extract the original setup files for that service pack (eg Exchange 2010 SP3) back to the location its prompting you for, or point the installer to another location where those files exist.

Not applicable

If you're getting a prompt for the Exchange 2010 source files you only need to extract the original setup files for that service pack (eg Exchange 2010 SP3) back to the location its prompting you for, or point the installer to another location where those files exist.

Not applicable

The links to the Exchange 2013 updates (CU1 and CU2) are dead.  I guess this update has been pulled?  From this blog post as well as here: technet.microsoft.com/.../ms13-061  

Rob

Not applicable

Brian

Your statement about testing on general public seems the best information so far.

Unfortunately since certain person left MS quality of updates has been less than

desired. And please spare us comments about how complicated Exchange is.

Bring back SS (at least he was able to get Windows 7 program running).

Not applicable

Off topic: There are plan to support SRS (Sender Rewriting Scheme) http://www.openspf.org/SRS, in Exchange?

Not applicable

Are there plans to support SRS (Sender Rewriting Scheme) http://www.openspf.org/SRS , on Microsoft Exchange?

Not applicable

Brian so after you apply hotfix in your test enviro you do not use Get-MailboxDatabaseCopyStatus ... to see ?

Can you confirm/deny or otherwise ?

Not applicable

We are on 2007 SP3 .. windows updates show RU11 and RU8v2 available. Does RU11 include the updates from RU8v2 or do I need to install RU8v2 first and then RU11?

Not applicable

For the Exchange 2007 sp3 update rollup 11, the download center (www.microsoft.com/.../details.aspx) does not list Windows 2003 R2 as a supported operating system:

"Supported Operating System

Windows 7 Professional 64-bit, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2008 Standard, Windows Server 2012"

Was this an oversight?

Not applicable

I have the same question as Anna - the issue with Ex 2010 SP3 UR1 where messages get sent to the poison queue - has this been fixed? We have an interim update in place for a soft-delete issue with voicemail messages (from SP3) and have been unable to apply UR1 because of the disclaimer/poison message problem. At the time we were offered an interim update for this issue that we could apply after installing UR1, but the business was not prepared to accept the risk.

Not applicable

@Anna and SteveD

From the blog post:

2859596 Event ID 4999 when you use a disclaimer transport rule in an environment that has Update Rollup 1 for Exchange Server 2010 SP3 installed

Yes, it's fixed.

Not applicable

Future request, can you post the updates for the various Exchange versions separately, so the issues with Exchange 2013 aren't mixed up with 2010's.  And perhaps you can update the posting to mention that you've pulled the E2013 security patches and "If" you've installed them, here's the KB to go fix the issue instead of having to find it buried in the middle of all the other minutia. Thanks.

Not applicable

I see you were updating the page as I was typing, awesome.