Where can a list be found of all security updates in a CU

%3CLINGO-SUB%20id%3D%22lingo-sub-816113%22%20slang%3D%22en-US%22%3EWhere%20can%20a%20list%20be%20found%20of%20all%20security%20updates%20in%20a%20CU%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816113%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20patching%20SharePoint%202013%20SP1%20to%20the%20July%209th%20CU.%20We%20have%20a%20very%20specific%20number%20of%20security%20patches%20that%20need%20to%20be%20addressed.%20However%2C%20we%20cannot%20find%20any%20proof%20either%20on%20the%20server%20or%20in%20the%20microsoft%20documentation%20that%20these%20patches%20are%20applied.%3C%2FP%3E%3CP%3ECan%20you%20please%20point%20to%20the%20documenation%20where%20it%20specifically%20states%20that%20the%20following%20updates%20are%20in%20fact%20applied%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4462202%20Security%20Update%3CBR%20%2F%3E4462143%20Security%20Update%3CBR%20%2F%3EFeb%202019%20SharePoint%20Server%20Update%3CBR%20%2F%3E4462139%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENon%20of%20these%20are%20listed%20in%20either%20SharePoint%2C%20Microsoft%20Updates%20or%20System%20Information.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20current%20farm%20config%20DB%20is%3A%2015.0.5153.1000%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20note%20that%20the%20kb%20article%20does%20state%20that%20%22Because%20the%20builds%20are%20cumulative%2C%20each%20new%20release%20contains%20all%20the%20hotfixes%20and%20security%20updates%20that%20were%20included%20with%20the%20previous%20Microsoft%20SharePoint%20Enterprise%20Server%202013%20update%20package%20releases.%22%3C%2FP%3E%3CP%3EBut%20we%20need%20evidence%2C%20that%20the%20patches%20are%20indeed%20installed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20you%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-816113%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827715%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20can%20a%20list%20be%20found%20of%20all%20security%20updates%20in%20a%20CU%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827715%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396309%22%20target%3D%22_blank%22%3E%40JSAUS%3C%2FA%3E%26nbsp%3BI%20amafraid%20this%20is%20the%20best%20we%20can%20get%20%3A(%3C%2Fimg%3E%26nbsp%3B%3CSPAN%3ECumulative%20update%20packages%20for%20Microsoft%20SharePoint%20Foundation%202013%20contain%20hotfixes%20for%20the%20issues%20that%20were%20fixed%20since%20the%20release%20of%20SharePoint%20Foundation%202013.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20think%20that's%20more%20than%20a%20validation%20as%20product%20for%20adding%20the%20past%20hot%20fixes%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828255%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20can%20a%20list%20be%20found%20of%20all%20security%20updates%20in%20a%20CU%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828255%22%20slang%3D%22en-US%22%3EAs%20SharePoint%20CUs%20do%20not%20record%20installation%20of%20specific%20non-CU%20fixes%20(e.g.%20an%20August%202019%20CU%20won't%20report%20that%20a%20security%20fix%20from%20July%202019%20has%20been%20installed)%2C%20you%20will%20need%20to%20compare%20the%20binary%20versions%20that%20the%20security%20update%20would%20have%20applied.%20So%20if%20a%20security%20fix%20from%20July%202019%20includes%20Microsoft.SharePoint.dll%20version%2015.0.5nnnn.nnnn%20and%20you%20have%20the%20August%202019%20CU%20that%20installed%20Microsoft.SharePoint.dll%20version%2015.0.5xxxx.xxxx%2C%20then%20you%20know%20you%20have%20the%20security%20fix%20in%20place.%20But%20as%20the%20CUs%20are%20cumulative%2C%20as%20long%20as%20you%20have%20a%20a%20CU%20from%20the%20same%20or%20successive%20month%20installed%2C%20you%20know%20it%20includes%20those%20fixes.%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20tell%20the%20vendor%20performing%20the%20scan%20that%20their%20software%20is%20inadequate%20and%20needs%20to%20stop%20looking%20at%20the%20registry%20as%20'proof'%20that%20any%20patch%20for%20any%20product%20has%20been%20installed.%3CBR%20%2F%3E%3CBR%20%2F%3EBinary%20comparisons%20are%20the%20only%20accurate%20way%20to%20do%20this%2C%20but%20also%20the%20most%20difficult.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20also%20raise%20a%20case%20with%20Microsoft%20who%20can%20explain%20the%20above%20to%20your%20security%20team%2Fvendor%20performing%20the%20scan%20about%20how%20SharePoint%20updates%20are%20packaged.%3C%2FLINGO-BODY%3E
Occasional Visitor

We are patching SharePoint 2013 SP1 to the July 9th CU. We have a very specific number of security patches that need to be addressed. However, we cannot find any proof either on the server or in the microsoft documentation that these patches are applied.

Can you please point to the documenation where it specifically states that the following updates are in fact applied:

 

4462202 Security Update
4462143 Security Update
Feb 2019 SharePoint Server Update
4462139

 

Non of these are listed in either SharePoint, Microsoft Updates or System Information.


The current farm config DB is: 15.0.5153.1000

 

We note that the kb article does state that "Because the builds are cumulative, each new release contains all the hotfixes and security updates that were included with the previous Microsoft SharePoint Enterprise Server 2013 update package releases."

But we need evidence, that the patches are indeed installed.

 

Thanks for you help!

2 Replies

@JSAUS I amafraid this is the best we can get :( Cumulative update packages for Microsoft SharePoint Foundation 2013 contain hotfixes for the issues that were fixed since the release of SharePoint Foundation 2013.

I think that's more than a validation as product for adding the past hot fixes as well.

As SharePoint CUs do not record installation of specific non-CU fixes (e.g. an August 2019 CU won't report that a security fix from July 2019 has been installed), you will need to compare the binary versions that the security update would have applied. So if a security fix from July 2019 includes Microsoft.SharePoint.dll version 15.0.5nnnn.nnnn and you have the August 2019 CU that installed Microsoft.SharePoint.dll version 15.0.5xxxx.xxxx, then you know you have the security fix in place. But as the CUs are cumulative, as long as you have a a CU from the same or successive month installed, you know it includes those fixes.

Or tell the vendor performing the scan that their software is inadequate and needs to stop looking at the registry as 'proof' that any patch for any product has been installed.

Binary comparisons are the only accurate way to do this, but also the most difficult.

You could also raise a case with Microsoft who can explain the above to your security team/vendor performing the scan about how SharePoint updates are packaged.