The minimum supported patch level for the SharePoint 2013 product family and for SharePoint Server 2016 has changed recently.
- SP2013: Minimum supported patch level is now April 2018 CU
- SP2016: Minimum supported patch level is now May 2018 CU
Of course we recommend to evaluate and install a more current CU.
See here for more details:
Permalink
Which patch level is required to be protected against the recently announced SharePoint exploits?
https://www-zdnet-com.cdn.ampproject.org/v/s/www.zdnet.com/google-amp/article/microsoft-sharepoint-servers-are-under-attack/
Permalink
April CU
Permalink
Hi,
Does this supportability mean that I can’t install April 2019 CU on for example January 2017 farm or is it just for microsoft support cases?
Permalink
Hi,
currently it is only for Microsoft support cases but that might change in the future.
Cheers,
Stefan
Permalink
The Microsoft article on the vulnerability (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604) seems to mention the March 2019 CU (at least for all the version of SP I care about, 2013, 2016 and 2019). Is April actually needed or just your recommendation?
Permalink
Hi Ben,
for this specific issue March should be sufficient but due to other Security fixes released in April we recommend to install April CU.
Cheers,
Stefan
Permalink
Do we need to install the April CU if we already installed the April security update that is in the CU?
Thanks,
Tony B.
Permalink
Hi Tony,
I assume you are talking about April 2018 CU and April 2018 security fixes for Sharepoint Server 2013.
The reason is that SharePoint Server 2013 consist of more than 30 Independent patchable components. Security fixes only patch those components which contain vulnerabilities.
In April 2018 we fixed 5 of these 30+ components (see here for details: https://blog.stefan-gossner.com/2018/04/10/sharepoint-security-fixes-released-with-april-2018-pu-and-offered-through-microsoft-update/)
The others components are on patch levels older than April 2018 CU and not on a supported patch level.
Cheers,
Stefan
Permalink
Hi Stefan,
Sorry for not including the year. I was referring to the April 2019 CU and April 2019 security update (PU?) that patches CVE-2019-0604 security advisory. Does the April 2019 CU include a patch for CVE-2019-0604 that wasn’t included in the April 2019 PU or security patches for all SharePoint Servers?
Thank you,
Tony B.
Permalink
No. All Security Fixes are included in the PU.
Permalink
Hi Stefan,
To address CVE-2019-0604 on our SP2013 server, do you recommend to apply security patch kb4462202 & kb4462143 or directly apply 2019 May PU KB4464563? I assume the latter also fixes the CVE-2019-0604.
In addition, what is the difference between the KB4464563 listed on https://docs.microsoft.com/bs-latn-ba/OfficeUpdates/sharepoint-updates?toc=/sharepoint/spstoc/toc.json#sharepoint-2013-update-history and the KB4464564 listed on your blog https://blog.stefan-gossner.com/2019/05/14/sharepoint-security-fixes-released-with-may-2019-pu-and-offered-through-microsoft-update/. Both show May 2019 PU or CU?
Thanks
Ming
Permalink
Hi Ming,
it does not matter if you are applying the individual fixes for CVE-2019-0604 or May CU. The fix is in both of them.
In General we recommend to install the CU rather than the individual fixes as it ensure that the farm has a consistent patch level.
4464564 is a security fix which only updates the SharePoint Foundation component within SharePoint server. This one single component of 30+ components SharePoint consists of.
4464563 is the Uber package for May CU which includes the latest fixes for all 30+ components of SharePoint.
Cheers,
Stefan
Permalink
Hi Stefan,
Thank you for your prompt response. It is really helpful. I still have some further questions.
Can I assume both KB4464563 (Uber CU) and KB4464564 (PU?) contains the fix for CVE-2019-0604. Although 4464564 only updates one single component, it does contains all the security fixes.
Based my own experience, I know that the latest CU sometimes introduces other issue. That is why I am reluctant to apply the latest CU. My SP2013 farm is currently on Service Pack 1. In order to reach the supported patch level, I should apply April 2018 Uber CU – KB4018348 and also apply both kb4462202 & kb4462143 security updates to fix CVE-2019-0604 for minimum patching, Or directly apply May 2019 Uber CU – KB4464563 to reach both goals. May 2019 CU – KB4464563 has just been released, while April 2018 CU – KB4018348 has been tested for a year. From production farm stable perspective, do you think the former way is safer? My thinking is based on the comment in your blog. You did mention “CUs should only be installed to resolve specific issues fixed with the CUs as mentioned in each CU KB article: ” in your blog https://blog.stefan-gossner.com/2013/03/21/common-question-what-is-the-difference-between-a-pu-a-cu-and-a-cod/. Do I think correctly that the former way of patching being a better practice?
Really appreciate your input.
Ming
Permalink
Hi Ming,
your assumption is not correct. 4464564 Patches only the STS component of SharePoint Server. That is the same component previously patched by 4462143 and the fix for 4462143 is included in 4464564. But 4462202 patches the coreserverloc component which is not included in 4464564.
The blog post you quoted was from 2013. Meanwhile the recommendation has changed as we no longer release service packs. CUs are the nearest we have to service packs. It is recommended to apply CUs every couple of months. It is required to install them at least once a year.
I understand that you are reluctant to apply a CU just days after it was released. But you could apply April 2019 CU which fixes CVE-2019-0604 and which is out since a month already and just install 4464564 on top to address the May vulnerability.
Cheers,
Stefan
Permalink
Hi Stefan,
Does April 2019 CU (Uber) KB4464514 contains both 4462202 and 4462143, or just 4462202 no 4462143?
The reason to add May 2019 PU KB4464564 is for 4462143, or just for some new security updates that is irrelevant to CVE-2019-0604 if 4462143 is already included in April CU?
Sorry for so many questions. Thank you for your time.
Ming
Permalink
Of course it contains all security fixes released up to April CU. So both are included.
4462143 was released in February. So it was previously already included in February CU, March CU and April CU. No need to install May CU just to get this fix.
Permalink
Hi Stefan,
Your blog is cool, requesting your advice for Sharepoint 2013 farm patch, my last patch level is 15.0.5207.1000
However there are recent patches available for SP server 2013 – 15.0.5337.1000 (KB Number-KB 4504732) would this be the best patch that i can roll up? or do you suggest any other best patch level?
Please let me know the sequence order, so i can do the patches to my 3 servers one by one, I’ve one WFE server, APP server, DB server and Office Online server
Your help is much appreciated, Many Thanks in advance.
Arun
Permalink
Hi Arun,
we always recommend to evaluate the latest fixes as soon as they are released as they include also fixes for security vulnerabilities.
During patching of a SP2013 farm you will always have a downtime. Zero downtime patching is only supported with SP2016 and SP2019.
You need to install the patch on all machines. The recommendation is to start with the machine hosting the Central Administration server.
Afterwards you need to run the configuration wizard. First run it on a single server to update the databases. Afterwards you can run it on the remaining servers in parallel.
Patching of Office Web Apps server can be done independently from the SharePoint server patching.
See here for details:
https://docs.microsoft.com/en-us/webappsserver/apply-software-updates-to-office-web-apps-server
Cheers,
Stefan
Permalink
Hi Stefan,
Thank you so much, As 2013 farm has a down time during patching, Is it mandate to shut down any servers within the farm before patching, such as SQL server or Office Online server. If so is there any order in which i should be shutting down the servers sequentially and do patch installation and followed by configuration wizard or CU patch can be done Without Shutting servers down.
Many Thanks in advance.
Permalink
Hi Arun,
there is no need to that.
Cheers,
Stefan