News

Update Flaw in Microsoft Exchange Server 2010 SP1 Explained

• By Kurt Mackie
• 07/28/2011

Microsoft shed some light on Wednesday on what caused the problem and why the Exchange Server 2010 Service Pack 1 Update Rollup 4 (RU4) was pulled.

IT pros who have downloaded RU4 should not apply it, Microsoft has advised. Those who did apply this rollup should contact Microsoft Customer Support to get an "Interim Update." The problem, in which folder data doesn't copy over into Outlook after applying the rollup, will be fixed in RU5, which Microsoft expects will be available in August.

The RU4 flaw came about after Microsoft attempted to address customer requests to make deleted public folders recoverable, Microsoft has explained. However, it's not clear why Microsoft might add a new feature to a rollup. What's considered new in a rollup seems to be a murky area. Microsoft's explanation posted on Wednesday included a comment from one reader stating that "I have generally followed the idea that update rollups should be a collection of bug fixes and should NEVER introduce 'new features'...save new features for the service packs."

Here is Microsoft's definition of an "update rollup" (possibly equivalent to a "rollup update"): "An update rollup is a tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS)."

Microsoft defines a "hotfix" in this way: "A hotfix is a single, cumulative package that includes one or more files that are used to address a problem in a product and are cumulative at the binary and file level. A hotfix addresses a specific customer situation and may not be distributed outside the customer's organization."

In any case, the problems with RU4 arose because code was removed that turned out to be still needed, according to Kevin Allison, general manager of Exchange customer experience at Microsoft. Exchange 2010 uses a new feature called "RPC [remote procedure call] client access," which functions as the messaging application programming interface (MAPI) for Outlook e-mail clients. With Exchange 2007 and Exchange 2010, Outlook clients are directed away from the Information Store and toward the RPC Client Access service to form connections. Code added to the Exchange 2003 Information Store was mistakenly thought to be legacy code, so it wasn't added to Exchange 2010. The removal of that code led to the RU4 flaw.

"As part of our investigation, we discovered that there was some specific code added to the Exchange 2003 Information Store to handle the procedure call from Outlook using the extra flag," Allison stated. "This code was also carried forward into Exchange 2007. But when the Exchange team added the RPC Client Access service to Exchange 2010, that code was not incorporated into the RPC Client Access service because it was mistakenly believed to be legacy Outlook behavior that was no longer required. That, unfortunately, turned out not to be the case."

The Exchange team uses more than 100,000 automated tests to validate products before shipping, Allison explained, along with manual validation tests if required. RU4 passed multiple copy and move tests, but the tests were not using Outlook's procedure call. Allison said that the Exchange team is now working with its counterparts on the Outlook side "to use their automated test coverage." Microsoft is also tightening up risk assessments associated with implementing customer-requested changes, he added.