Maintaining your Exchange Servers with the latest updates is the best practice. Staying up to date with the new builds of any software product is a good idea, because it means you’re receiving the latest bug fixes, security updates, and feature compatibility with any integrated components.
For Exchange Server in particular there are clear reasons to stay up to date:
- Exchange Server 2013 and 2016 use a servicing model of “Cumulative Updates”, and Microsoft will support the latest CU. Support for the N-1 CU runs out 3 months after the release of the latest one. Cumulative updates ship every quarter, which aligns with the 3 month support period. If you’re running N-2 or earlier, you are not running a supported environment. There is an exception for Exchange 2013 CU4, which is also known as Exchange 2013 Service Pack 1, and continues to receive security updates. However, it is well out of date in terms of bug fixes, and you should not deploy that build.
- Exchange Server 2010 Service Pack 3 is the only service pack still supported, under extended support, until 14th January 2020.
- Exchange Server 2007 Service Pack 3 is the only service pack still supported, under extended support until 11th April, 2017.
Besides the supported status of those Exchange versions, Office 365 Hybrid configurations require you to maintain your on-premises servers to at least N-1.
The word “supported” can mean different things in different scenarios, but for this article it means:
- If you call Microsoft with a problem, they will ask you to reproduce the problem on a supported version of the product before they do much else for you. This makes sense as you may see a bug that does not exist in the supported versions.
- Security updates are released only for supported versions of the product. Running unsupported versions puts you at risk due to unpatched security vulnerabilities.
Deploying updates carries risk. Microsoft has released updates in the past that introduced new bugs, but there is also the risk that something unique to your environment will cause an unexpected issue.
Your organization needs to balance the risks of updates with the risks of doing nothing. My view is that you should update, and mitigate the risks through a thorough process of testing, or by using highly available deployments that will not suffer an outage due to an update to a single server. If the pace and risks of updates are too much for you, then you can also consider Office 365.
For more information about keeping your Exchange Servers updated:
- FAQ: In What Order Should You Install Service Packs, Update Rollups, and Cumulative Updates?
- Updated Guidance for Solving Outdated Exchange Server and .NET Framework Versions
- Installing Cumulative Updates for Exchange Server 2016
- Installing Cumulative Updates for Exchange Server 2013
- Servicing Exchange 2013 (Microsoft Exchange Team blog)
- Exchange Server Updates: build numbers and release dates (TechNet)
- How to Install Updates on Exchange Server 2010 Database Availability Groups
- How to Install Updates on Exchange Server 2010 CAS Arrays
- Exchange Server 2013 support lifecycle
- Exchange Server 2010 support lifecycle
- Exchange Server 2007 support lifecycle