As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.
The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.
Today, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.
As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:
If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.
The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.
KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016
Exchange 2013 CU16 fixes:
KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
Exchange 2010 SP3 RU17 fixes:
KB4014076 Migration ends and errors reported when you on-board or off-board a mailbox through Exchange Online in an Exchange Server 2010 hybrid environment
KB4014075 UNC path does not open in OWA when the path contains non-ASCII characters in an Exchange Server 2010 environment
KB4013917 You cannot search in a shared mailbox through OWA in an Exchange Server 2010 Service Pack 3 (Update Rollup 15 or 16) environment
KB4012911 Culture element is added in the wrong order when you use the ResolveNames operation in EWS in Exchange Server 2010
Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.
Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order of upgrading servers with Cumulative Updates is irrelevant.
Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
Today, Cumulative Update 5 for Exchange Server 2013 was released by the Exchange Team (KB2936880). This update raises Exchange 2013 version number to 15.0.913.22.
This Cumulative Update contains the following fixes compared to SP1 (CU4):
2963590 Message routing latency if IPv6 is enabled in Exchange Server 2013
2963566 Outlook Web App accessibility improvement for UI appearance in Exchange Server 2013
2962439 You cannot sync contacts or tasks in Microsoft CRM client for Outlook in an Exchange Server 2013 environment
2962435 CRM synchronization fails if the time zone name of a meeting is not set in an Exchange Server 2013 environment
2962434 Slow performance in Outlook Web App when Lync is integrated with Exchange Server 2013
2958430 “Some or all Identity references could not be translated” error when you manage DAG in Exchange Server 2013 SP1 in a disjoint namespace domain
2957592 IME is disabled in Outlook Web App when you press Tab to move the focus in an email message in Exchange Server 2013
2942609 Exchange ActiveSync proxy does not work from Exchange Server 2013 to Exchange Server 2007
2941221 EWS integration for Lync works incorrectly in an Exchange Server 2013 and 2007 coexistence environment
2926742 Plain-text message body is cleared when writing in Outlook Web App by using Internet Explorer 8 in Exchange Server 2013
2926308 Sender’s email address is broken after importing a PST file into an Exchange Server 2013 mailbox
2925559 Users always get the FBA page when they access OWA or ECP in Exchange Server 2013
2924519 “SyncHealth\Hub” folder is created unexpectedly after installing Cumulative Update 2 for Exchange Server 2013
2916113 Cannot open .tif files from email messages by using Windows-based applications in an Exchange Server 2013 environment
2592398 Email messages in the Sent Items folder have the same PR_INTERNET_MESSAGE_ID property in an Exchange Server 2010 environment
Be advised that this CU includes a Managed Availability probe configuration that may result in the frequently restarting of the Microsoft Exchange Shared Cache Service in some environments. More information, see KB2971467.
Be advised of OAB architectural changes documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.
This Cumulative Update includes schema and AD changes, so make sure you run PrepareSchema / PrepareAD. After updating, the schema version will be 15300.
Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.
Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.
You can download Exchange 2013 Cumulative Update 5 here; UM Language Packs can be found here. More details about these changes, preparing Active Directory or installing this Cumulative Update can be found in the original announcement.