Update Rollup 3 for Exchange Server 2007 SP1 and Update Rollup 7 for Exchange 2007 RTM have been released
Published Jul 08 2008 05:16 PM 3,319 Views

EDIT 8/22/2008: We have updated the troubleshooting section. Download information for Update Rollup 3 for Exchange 2007 SP1 The update is live at: http://www.microsoft.com/downloads/details.aspx?FamilyId=63E7F26C-92A8-4264-882D-F96B348C96AB&displa... Related KB article: http://support.microsoft.com/?kbid=949870 Download information for Update Rollup 7 for Exchange 2007 RTM The update is live at: http://www.microsoft.com/downloads/details.aspx?FamilyId=086A2A13-A1DE-4B1D-BD12-B148BFD2DAFA&displa... Related KB article: http://support.microsoft.com/?kbid=953469 The above update Rollups will also be released to Microsoft update. Fixes for security issue detailed in MS08-039 A security issue has been identified in Exchange Server 2007 as documented in http://www.microsoft.com/technet/security/bulletin/MS08-039.mspx.

  • Customers running Exchange Server 2007 RTM need to apply Update Rollup 7 for Exchange 2007 RTM to address the security issue.
  • Customers running Exchange Server 2007 SP1 need to apply Update Rollup 3 for Exchange 2007 SP1 to address the security issue.
Rollup installation troubleshooting Seeing that those Rollups contain security fixes, we expect that a lot of people will be applying them. There are a few possible issues that we would like you to be aware of:
  • Exchange 2007 managed services might time out during certificate revocation checks
  • During the installation of the Rollup, you might encounter a message that you have to wait until the disk space calculation is completed. This message will clear by itself and then you will be able to proceed further. We will permanently resolve this in the future.
  • When installing a Rollup, we recommend you use the same account that you used to install Exchange Server. If you are using a different account, that account needs to have Local Administrator rights as well as rights to read Active Directory on Exchange object as well as server level (as the update needs to determine which roles are installed on the server). Not having required permissions can lead to OWA not being updated correctly and displaying a blank page after update has completed.
  • If you have modified the logon.aspx file, it will not be patched by the Update Rollup installer. As a result Outlook Web Access may not be updated correctly and it may display a blank page after the update has finished. In order to avoid this problem, rename the logon.aspx file before applying the update rollup. After you apply an update rollup package, you must re-create Outlook Web Access customization in logon.aspx.
- Nino Bilic

69 Comments
Not applicable
Is Update Rollup 2 a prerequisite for this?

To clarify, does Update Rollup 3 include the fixes from previous Update Rollups?
Not applicable
Ed,

Out rollups are cumulative. In case of RU3 for SP1, this is what we say on the download page:

This is a cumulative update rollup and replaces the following:

KB945684 Update Rollup 1 for Exchange Server 2007 Service Pack 1 (KB945684)
KB948016 Update Rollup 2 for Exchange Server 2007 Service Pack 1 (KB948016)
Not applicable
Got bit by the time out bug I think - Transport Service would not start - uncool Microsoft - but at least it was a known issue.
Not applicable
Suggestion:  When the Exchange update/rollup finishes and turns back on all the services, if any fail to start (that were working prior), the rollup should advise the admin of such - I only realized the Transport Service failure after nags from my users.
Not applicable
Do I have to remove All the previous Rollups before I install Rollup 7? It's mentioned on all the info but I can't even see the previous rollups listed under add/remove programs so how can I remove them first?
Not applicable
Just like SP's, you do not have to remove a rollup to install the newer rollup.
Not applicable
Nathan - as Derek mentioned, you do not need to remove previous rollups, no...

You might be confused by the wording that talks about "removing interim updates" though. An interim update is an update that we might release for things that we had support cases on and certain customers hitting this might contact us and get a fix for that single specific issue. So it is not a rollup, it is an "interim" fix that goes between rollups really. Those are what should be removed, not rollups. So unless you actually had an interim fix from us - don't worry about it.
Not applicable
I wish I had read this before I applied the roll up! :)

We are experiencing the third problem in your troubleshooting section.  Any ideas on how to fix this?  Should I uninstall and re-install the patch (using a different account of course)?
Not applicable
Scott McNulty - yeah, that should do it...
Not applicable
With the rollup installed, we had the application pool crash constantly for the exchange directory under IIS. This was caused by Entourage users. We also got errors about EXPROX

Because of the legacy way Entourage is connected, it requires basic authentication on the back and front end servers for the legacy connection. The hub/transport and mailstore servers complained about this withthe rollup installed. Setting Windows integrated did not solve the problem at all by the way, infact it broke Entourage.

The only way to solve this was to back out the rollup.

I hope a fix is done or webdav is finally retired from Entourage once and for all.
Not applicable
Steve,

If possible, please open a support case on this! I do not think we have seen this yet... If it is a bug, our policy is that you'll get a refund, but we need to get some crash information to fix this...
Not applicable
Seems you guys are trying to force integrated authentication across the front and back servers on the legacy iis connectors that are used entourage (exchange). webdav really is not working on this and rpc over http should be added in to the mac clients

Right now entourage must use basic authentication over encapsulated ssl. This directly conflicts (I believe) with what is trying to be accomplished with the rollup

Either way I will open a support case tomorrow on this
Not applicable
hey I applied the patch because we had the 1st problem in your list of issues (notes rooms f/b stuff) but since then I can't the excalcon process to talk to the exchange server get error 1753 any ideas?
thanks
tr
Not applicable
Why have the last 3 rollups (since release of SP1) not been incrementing the version number in AD?  serialNumber of the server object in the configuration partition.

This is causing serious issues when doing a setup.com /recovercms which is required for recovering a cluster in an SCR scenario.

Has anyone else experienced this issue?  What solutions do people have other than changing the serialNumber in AD?
Not applicable
Sean...

Your issue is actually a pre-req BPA check that we have an open case on.
Not applicable
Do not startup any exchange service after applied Update Rollup 3.
Not applicable

On my HUB server none of these service will start after installing RU3

anti-spam, edgesync, Transport en Transport Log Search.

Not even after a reboot, not even manually.


Not applicable
Well same here!!
Just installed rollup 3 on two HUB/CAS servers and one node of CCR cluster.

All Exchange services try to start but timeout on the service --> did not respond in a timely fashion.

Any help would be welcome
Not applicable
johnd and den Dave: did you try the .config file workaround?
Not applicable
I had the rollup installed silently.  but it caused boot up errors, when win2K3 is loading it gets stuck @ "loading computer profile" and stays there for about 10-15 mins, after i got it to boot i could not get the services to start.  i tried the ServiceControl.ps1 AfterPatch command, and still no start of services.  so i decided to reinstall the rollup manually.  its been @ "Creating native images for .net assembles.  this process may take an extended period of time." for about an hour now.  How long should i wait for this process to complete?
Not applicable
Roll up 3 seems to have now installed fine, with a wait about 2 hours, but my services will still not start.  i did complete the ServiceControl.ps1 AfterPatch command.  any suggestions?
Not applicable
Transport Service Failes to start and will not start when trying to manually.
Not applicable
After installing this update ALL of our Exchange services (including www, https, iis admin) were disabled. After setting them all back to automatic/manual OWA no longer works.

Thanks!
Not applicable
Using the same account as Exchange 2007 was installed with and having good Internet connectivity (from server fast connection to http://crl.microsoft.com/pki/crl/products/CSPCA.crl) after the rollup 3 was installed we had similar problems - Exchange services would not start.  Un-installed the rollup.  The server is a CAS/HUB role server.  While we had rollup 1 on it we did not have rollup 2.  It is now back to rollup 1.  No interm hotfixes were on the server.

Have not yet tried the config file changes for the "Certificate revocation checks".  Double checked that we had good internet connectivity to http://crl.microsoft.com/pki/crl/products/CSPCA.crl.  
Not applicable
Today I tried the .config workaround.


Since my servers were already at .Net 2.0.50727 I didn't have to apply to hotfix.



Went to BIN or CLIENTACCESS directory and altered all Exchange related config files:


BinEdgeTransport.exe.config


BinExBPA.exe.config


BinExBPACmd.exe.config


BinExTRA.exe.config


BinMicrosoft.Exchange.Cluster.ReplayService.exe.config


BinMicrosoft.Exchange.EdgeSyncSvc.exe.config


BinMicrosoft.Exchange.Monitoring.exe.config


BinMicrosoft.Exchange.Search.ExSearch.exe.config


BinMicrosoft.Exchange.ServiceHost.exe.config


BinMSExchangeMailboxAssistants.exe.config


BinMSExchangeMailSubmission.exe.config


BinMSExchangeTransportLogSearch.exe.config


ClientAccessPopImapMicrosoft.Exchange.Imap4.Exe.config


ClientAccessPopImapMicrosoft.Exchange.Pop3.Exe.config



Where necessary I created the additional config files:


BinMicrosoft.Exchange.AntispamUpdateSvc.exe.config


BinMsExchangeFDS.exe.config


BinMSExchangeTransport.exe.config





Added


<generatePublisherEvidence enabled="false"/>


to each .config file



OR if the files did not exist, created these files with following content


<configuration>


 <runtime>


         <generatePublisherEvidence enabled="false"/>


 </runtime>


</configuration>





Typically a .config file has to be changed or created for each installed Exchange 2007 Service.



Thanks for the tip!! I'm happy it worked!!



Hopefully the next update or rollup will fix this...


Not applicable
Sean van Osnabrugge - we know of this problem but do not have a fix yet. The way to work around it is to remove the UR, run /recoverCMS, and then re-apply the UR once the CMS is back and running.
Not applicable
Already had .NET 2.0.50727, so hotfrix was not needed.
Adapted the .config files and I was able to start the services again.

Thanks!
Not applicable
This solved my problem!
We are using a proxy server, with authentication, so the update could not reach the CSPCA.crl file! I bypassed the proxy and bingo!

I hope this can be af any help to others.

http://support.microsoft.com/kb/944752/

CAUSE
This problem occurs because the affected computer cannot reach the following Microsoft Web site:
http://crl.microsoft.com/pki/crl/products/CSPCA.crl (http://crl.microsoft.com/pki/crl/products/CSPCA.crl)

John

Not applicable
Has anyone deployed Rollup3 without any problems? :)
Not applicable
For us the problem was that email would sit in Outlook users' Outboxes and OWA users' Drafts folders for 30 minutes to a hour or more before finally getting sent. Seven hours on the phone with MS tech support and we couldn't find a cause. We ended up uninstalling Rollup 3 and mail started flowing again. However, now my Apple Mail client cannot connect. (Log in rejected by IMAP4) Oddly enough, the Apple Mail client was the only client in the office that experienced no delays while Rollup 3 was installed. Other than that, installing Rollup 3 fixed everything.
Not applicable
I faced this specific issue with Update Rollup 3 for E2K7 SP1: After applying the Rollup on CAS server role, the "Microsoft Exchange File Distribution" & "Microsoft Exchange Service Host" services fails to start. I failed to understand what could have caused this issue but however I finally did find some workaround to resolve the issue.
Not applicable
Since this is some kind of MS Blog or people who worked/work for Exchange even as VMP. Could someone state if it's a good idea to install the Update Rollup 3 (For SP1) with all the problems or glithces mentioned here.

1) Some Service does no restarte after update
2) HOTFXIES between the major Rollup have to be deinstalled
3) There is some kind of licence server which has to be connected trough or without proxy.

If you have CAS and HUB-MAILBOX. In wich order should the Patch be applyed?

Does this rollup fix any issues in terms of cpu store.exe around 99% while users logon/Logoff with Outlook fatclient? (Mixed mode with Exchange 2003)

Any others issues or important things to take care of?

Thanks in advance.
Not applicable
I'm with Mike. Was this a good idea?  For us......no.  To bad I'm responding after RU 3 removal. By the way we had no problem getting the revocation list.  The services failed to start and threw nothing but generic errors. I will say, however, KB944752 has an interesting title.
Not applicable
Mike,

Seeing that this specific rollup does have security fixes - we definitely recommend that people install it on their servers, yes. There are some "known issues" as we call them, and we have tried to be as clear about them in this post as possible. The situation is not ideal for sure, but we are working to have this resolved in the future in many respects that are not great today.

To address your last question - I am not aware of a specific case of 100% CPU utilization that this fixes... in fact I would really suggest that if you are seeing this - you should call into your support line. We refund the incident case if this is a bug...
Not applicable
I had the rollup come up in the Windows Server 2008 updates. I accepted the install via Windows Update. After the reboot for the windows updates I found that OWA was no longer running (blank), as stated in the blog message.

I have now re-installed the rollup using my admin account and "Run As Admin" and everything is fine again.

It would be nice if MS would NOT push rollups via Windows Updates, if they don't install properly...

Not applicable
Well I tried this rollup, and it hung almost immediately after starting.

STORE hung and wouldn't shut down.  Neither did MAD.  I ended them manually in Processes after failing to do anything for about 5 minutes.  

The rollup then completed.  After an 11 minute reboot everything appears ok, but I will have to wait until tomorrow to see if my Entourage clients are hamstrung or not.
Not applicable
I installed rollup 3 last night, but there is no indication anywhere that it was installed. The only location is in the Application Log. We are running Server 2008, the Rollup 3 isn't listed in the Programs and Features.

When I run the "get-exchangeserver | select admindisplayversion" the build number hasn't changed. Is this by design? Short of documentation, how do you keep track of which rollup has been installed?
Not applicable
To add to my previous entry:

My Entourage clients had no problem connecting the next morning.
Not applicable
This seems trivial compared to all the other issues but I have another. Backup Exec won't work because version #s don't match between the backup server and the exchange server. I've installed rollup 3 to both machines but the 32 bit is the only version # that changed.
Not applicable
Interesting Ron.  I am using Backup Exec 11D on a 32-bit 2003 machine.  I back up the 64-bit Exchange box over the wire, and Thursday night's backup went without a hitch.  

My backup box has a pre-SP1 copy of 32-bit Exchange so I know the version numbers aren't even close.

I do have an Exchange agent installed on the Exchange box, perhaps I don't need Exchange on the backup server at all in that case.

I'd mess with it, but it works.  ;)
Not applicable
Ok, so UR3 installs fine on all our servers in our DEV environment, but come time to patching PROD...well, it breaks our HUB servers like many people have posted.  I have to say this is a very inconsistent patch.



One individual changed the service to logon as Local System, but I've confirmed that the service was set to logon as the local Network Service account prior to the installation of the patch.  I would change the logon method, but I'm afraid of the consequences

that much ensue from doing so (especially since our DEV environment did not require such a change):

http://forums.msexchange.org/m_1800480695/mpage_1/key_/tm.htm#1800480729


Has anyone discovered why this is occuring?  Any solutions besides changing the account which the service logs on as?

Not applicable
Followup to my notes on July 13 in case others having similar issues: All E2k7 SP1 servers now updated ok to Rollup 3.  Despite tested fast access to http://crl.microsoft.com/pki/crl/products/CSPCA.crl we had to use the .config fixes, including ClientAccessPopImapMicrosoft.Exchange.Imap4Service.Exe  and ClientAccessPopImapMicrosoft.Exchange.Pop3Service.Exe (initially I had left off the "Service" portion).
Not applicable
I pushed the rollup to my Exchange 2007 CAS/HUB server (Windows 2008) via WSUS, and got the problems many other report here:

- Blank OWA
- Could not start Transport service on CAS server (I could start it if I disabled the firewall service though)

I removed the update rollup, and installed it manually using the account with admininstrative rights. After that everything works fine.
Not applicable
Ditto here on W2K8 Hub transport servers in our QA environment ... no Exchange services started properly .... I configured the servers to puch out to Internet to access the CRL site and the services still refused to start. I left the server overnite and the next morning all was ok!

MS should pull this hotifx until the issues are resolved IMHO.



Not applicable
So is the version # in EMC supposed to change from 240.6? patch applied ok on two servers but EMC reports 240.6 yet I can see that some issues are fixed so it did install something.
Not applicable
Had the exact same behaviour as SteveH. Does anyone know if installing using Run As Administrator fixes these problems?
Not applicable
Has there been any issue with R3 taking several hours to install?
Not applicable
I am publishing the OWA site (from my CAS which is separated from my MBX), to the Internet through a ISA 2006 SP1 machine. The OWA publishing rule worked just fine before installing Rollup3. After installation of Rollup3, OWA is not accessible externally through ISA anymore (OWA access from the LAN still works).

Logging in ISA 2006 shows that all http requests coming to the OWA site from the publishing rule, now receive a "301 Permanently Moved" response.

Uninstalled the rollup from my CAS, things started working again. Installed it again, same problem. I have decided not to install this rollup on my servers for now.

Has anybody seen this?
Not applicable
Can someone post a URL for the .config fix that is referred to in the comments?  Also, can anyone outline the usefulness of the .config fix - especially since it isn't necessary in some instances.
Not applicable
Installed update rollup 3 today, after rebooting, got OWA blank screen and an error is IE. If you look at details, it shows:


Line: 7

Char: 1

Error: Syntax error

Code: 0

URL:

https://email/owa/auth/logon.aspzx?url-https://email/owa&reason=0


troubleshooted for a while and ended up calling Microsoft PSS XCSI team. We removed the rollup and the problem went away. Rebooted &  Reinstalled rollup and OWA is working fine now. I just wish it didn't take 3 hours for me to figure out this might be the solution

and PSS still wondering why this fixed it.

If anyone wants a log file to help figure it out, let me know.

Version history
Last update:
‎Jul 01 2019 03:39 PM
Updated by: