The Microsoft Exchange Team has announced new update releases for all current versions of Exchange Server. The updates include:

Also included are UM Language Packs for Exchange 2013 CU7.

Important Security Update MS14-075

Included in these update releases is the fix for MS14-075 which resolves four vulnerabilities relating to Outlook Web App, the worst of which could allow elevation of privilege.

The fix is included with Exchange 2010 SP3 UR8 and Exchange 2007 SP3 UR15, and is available as a standalone security update for Exchange 2013 SP1 and Exchange 2013 CU6.

The fix is not provided for any other versions of Exchange Server which may be vulnerable, as they are unsupported.

Improvements in Exchange Server 2013 Cumulative Update 7

Microsoft calls out the following improvements in CU7 for Exchange 2013:

Exchange Server 2013 Cumulative Update 7 includes updates which make migrating to Exchange Server 2013 easier. These include:

  • Support for Public Folder Hierarchies in Exchange Server 2013 which contain 250,000 public folders
  • Improved support for OAB distribution in large Exchange Server 2013 environments

Customers with Public Folders deployed in an environment where multiple Exchange versions co-exist will want to read Brian Day’s post for additional information.

Improvements in Backup for Exchange Server 2013

CU7 also included a minor improvement (what we might also consider a bug fix) in the area of backup. In Microsoft’s words:

We encourage all customers who backup their Exchange databases to upgrade to Cumulative Update 7 as soon as possible and complete a full backup once the upgrade has been completed. These improvements remove potential challenges restoring a previously backed up database.

This sounds a bit scary (nobody wants to hear that their backups may be unusable for restores) but Microsoft assures us that the condition they are referring to is an edge case only, identified in internal testing, and has not been known to impact production customers.

Obviously you should still follow their advice and take a full backup after your CU7 deployment.

Deploying the Latest Exchange Server Updates

For Exchange Server 2013:

For Exchange Server 2010:

Recommendations and Known Issues

I frequently receive questions about whether to wait or deploy when new updates are released. My general rule is to wait two weeks to allow time for testing and reviewing any other real world feedback from others, unless circumstances require an urgent deployment (eg for critical security or bug fixes).

  • Exchange Server 2013 environments – Important security update should be reviewed. Backup issue should be taken seriously if no restore tests have been performed in your environment previously.
  • Exchange Server 2013/Office 365 Hybrid – Refer to notes above for Exchange 2013 concerns. Office 365 Hybrid customers are required to deploy the most current CU release on-premises.
  • Exchange Server 2010 environments – Important security update should be reviewed. Ensure you have the correct version, as this update was withdrawn then re-released. The updated RU8 package is version number 14.03.0224.002.
  • Exchange Server 2007 environments – too early to tell. Important security update should be reviewed. Recent update quality has been good. Test and deploy.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Daniel

    I appreciate the help. That bug is the type of thing I was talking about. It looks like mine are all FrontendT’s except for the built in Client Proxy and Default.

    I am going to go to 8 and skip the snapshots. Hopefully all goes well.

  2. Daniel

    I have 2013 CU3 installed at my site. I went through a bunch of fun when I went from CU2 to CU3 because of the security patch that hoses everything. Since then I have been hesitant to update. Should I go from CU3 to CU8 or bridge the gap and go to CU6 first? I am going to take snapshots of the AD and Exchange Server, Screenshots of all custom settings in ECP, and make sure I have a good backup. My schema changes are already in place since I setup CU2 to start with and I plan to use just the Setup.exe to do all the work for me.

    Thanks for your help in advance.


    1. Avatar photo
      Paul Cunningham

      There’s no advantage to only going to CU6.

      Snapshots are useless since you can’t use snapshots to recover these servers anyway.

      Any server customizations are wiped by any CU, so you should always have those documented and if possible script them to re-apply them easily.

      1. Daniel

        VMware snapshots that revert both the AD and Exchange back to an earlier date would not get me back to the state before upgrade?

        I am going to have a good backup in place. If it were to fail my option would be to blow away exchange and set it all back up using my copied ECP settings + mounting my copy of the database?

        Could I just go to CU7 in that case and mount my CU3 database or would I have to go to CU3 and then upgrade again?

        Any known gotchas that will fail the update like the CU2 security update bug?

  3. TinMan

    Can I update Cumulative Update 7 directly to Exchange server 2013 RTM? Schema Version 15137?

  4. Daniel Nkuna

    from our environment we are still on freeze period will give feedback after the 12th of January immediately after installing the update

  5. Jamie

    Yes I’m also wondering if this update will break anything. My boss wants me to install it, but I don’t want to lose my job 😉

    1. Bill Bowling

      It works OK on my exchange servers.


  6. Frederic Slomka

    Is the Cumulative Update 7 considered as “Stable”?

  7. Daniel Nkuna

    Thanks Paulk for your recent update.i hope the update won’t be recalled

  8. Bill Bowling

    Should I un-install Rollup 8 for exchange 2010? I have not seen any problems yet.


Leave a Reply