Maintaining your Exchange Servers with the latest updates is a best practice. Staying up to date with the new builds of any software product is generally a good idea, because it means you’re receiving the latest bug fixes, security updates, and feature compatibility with any integrated components.
For Exchange Server in particular there are clear reasons to stay up to date:
- Exchange Server 2013 and 2016 use a servicing model of “Cumulative Updates”, and Microsoft will support the latest CU. Support for the N-1 CU runs out 3 months after the release of the latest one. Considering cumulative updates are delivered quarterly, you can generally consider N-1 to be supported. If you’re running N-2 or earlier, you will not be supported. There is an exception for Exchange 2013 CU4, which was also named Exchange 2013 Service Pack 1, and continues to receive security updates. However, it is well out of date in terms of bug fixes, and shouldn’t be used.
- Exchange Server 2010 Service Pack 3 is the only service pack still supported, under extended support, until 14th January 2020.
- Exchange Server 2007 Service Pack 3 is the only service pack still supported, under extended support until 11th April, 2017.
In addition to the supported status of those Exchange versions, Office 365 Hybrid configurations require you to maintain your on-premises servers to at least N-1.
The word “supported” can mean different things in different scenarios, but for the purposes of this article it means:
- If you call Microsoft with a problem, they will ask you to reproduce the problem on a supported version of the product before they do much else for you. This makes sense, as you may be seeing a bug that does not exist in the supported versions.
- When security updates are released, they are only released for supported versions of the product. Running unsupported versions puts you at risk due to un-patched security vulnerabilities.
Deploying updates does carry some risk. Microsoft has released updates in the past that introduced new bugs, but there is also the risk that something unique to your environment will cause an unexpected issue.
Your organization needs to balance the risks of updates with the risks of doing nothing. My view is that you should definitely update, and mitigate the risks through a thorough process of testing, or by using highly available deployments that will not suffer an outage due to an update to a single server. If the pace and risks of updates are too much for you, then you can also consider Office 365.
For more information about keeping your Exchange Servers updated:
- Installing Cumulative Updates for Exchange Server 2016
- Installing Cumulative Updates for Exchange Server 2013
- Servicing Exchange 2013 (Microsoft Exchange Team blog)
- Exchange Server Updates: build numbers and release dates (TechNet)
- How to Install Updates on Exchange Server 2010 Database Availability Groups
- How to Install Updates on Exchange Server 2010 CAS Arrays
- Exchange Server 2013 support lifecycle
- Exchange Server 2010 support lifecycle
- Exchange Server 2007 support lifecycle