News

Exchange 2010 Service Pack 2 Update Rollup 5 v2 Gets Lukewarm Reception

Microsoft released Update Rollup 5 v2 for Exchange 2010 Service Pack 2 on Tuesday, but IT pros don't seem very thrilled.

• By Kurt Mackie
• 12/12/2012

 Microsoft released Update Rollup 5 v2 for Exchange 2010 Service Pack 2 on Tuesday, but based on the skeptical comments that followed Microsoft's notification in an Exchange team blog post, IT pros aren't happy with past back-and-forth fixes associated with Microsoft's update rollup releases. The grumbling goes back to July of 2011, when there was a problem with Update Rollup 4 for Exchange 2010 SP1 that didn't get fixed with a subsequent update release.

One point of contention this time is Microsoft's inclusion of a security fix in the update rollup. In addition to a number of functionality fixes in Update Rollup 5 v2 for Exchange 2010 SP2, Microsoft included a security fix that's described by Knowledge Base article "MS12-80." That security bulletin also was included in Microsoft's December security update, which was released on Tuesday.

"I for one find the product team's decision to fix security vulnerabilities only in Update Rollups completely unacceptable and at odds with many other products in the Microsoft product line," wrote blog reader "Paul Bendall" in the Exchange team blog's comments section. "A security vulnerability should be addressed by a small hotfix that addresses the vulnerability rather than part of a much wider rollup which includes additional functionality and a much broader change to the code base. For those in corporate environments, testing a large rollup is at odds with security patching."

Other Exchange products also received an update rollup on Tuesday with the sole purpose of delivering this MS12-80 security patch, which fixes an Exchange Web document viewer security flaw. Update rollups are available for Exchange Server 2010 Service Pack 1 (called "Update Rollup 8") and Exchange Server 2007 SP3 (known as "Update Rollup 9").

IT pros appear to have good reasons to separate their monthly security patching work from their work in applying Update Rollups. However, Microsoft's own definition of an update rollup seems to permit the addition of a security patch or two.

"An update rollup is a tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment," according to Microsoft's standard terminology definition. "A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS)."

Update Rollup 5 v2 for Exchange 2010 SP2 contains a laundry list of functionality fixes in addition to the MS12-80 security patch. The list, which appears to contain a fix for the folder archive problem that was problematic with Update Rollup 4, can be found here. If that weren't daunting enough, Microsoft outlines a very detailed protocol checklist to follow before installing any update rollup, which can be read at this page.

IT Pros Express Skepticism
Many of the commenters writing at the Exchange team blog post questioned Microsoft's quality assurance procedures in releasing update rollups. Some suggested they'll just wait a month or more to check for any problems, or that they would stick with the older Update Rollup 3. They also debated whether Microsoft should release security updates at all with update rollups.

Most of the commenters said that Microsoft should separate its security patch releases from update rollups. However, "Phil" was sympathetic.

"On the subject of 'security updates in rollups only,' I have some sympathy with Microsoft on this one," Phil wrote. "It means just one security patch (in the rollup) and not a different patch for every flavour, e.g. one each for SP2, SP2 RU1, SP2 RU2, SP2 RU3, SP2 RU4, SP2 RU4-2, SP2 RU5, and SP2 RU5-2. That's asking for trouble."

However, "Randall Twoman" was unappeased, questioned the Exchange team's competence and was caught up with yet another problem -- upgrade hell.

"Now we find out that we can't buy Exchange 2007 or 2010 SA [Software Assurance] licenses anymore because [Exchange] 2013 has hit RTM," Twoman wrote. "The catch is that we can't implement 2013 until 6 months from now when Microsoft decides to implement a patch that co-exists with their own products."

Microsoft presently is working on Service Pack 3 for Exchange 2010, which will enable it to run on Windows Server 2012. SP3 for Exchange 2010 is expected to arrive in the first quarter of next year. Microsoft has previously indicated that Exchange 2010 SP2 won't be supported on Windows Server 2012, nor will Exchange 2007. In addition, SP3 is needed in environments that mix Exchange 2007 and 2010, according to Microsoft's Exchange 2013 system requirements.

Exchange 2013 was issued as a release-to-manufacturing version in late October to Microsoft's volume licensing customers. It was released as a "general availability" final product on December 3.