The Exchange team re-released Exchange 2010 SP2 rollup update 5 this week, close to a month after its original release. The rollup was pulled a short time after its release due to a database availability group bug.
Exchange 2010 SP 1 rollup 8 and Exchange 2007 SP3 rollup 9 were also released. Don’t let the names fool you though; these “rollups” really only address vulnerabilities that can result in remote code execution (though the Exchange 2007 rollup does also remedy a Transport service crash issue). For more information, read Microsoft Security Bulletin MS12-080.
The bigger story here though appears to be the outcry from the Exchange community. Not only have there been numerous rollup update rereleases this year, but customers are angry that the security hotfixes are not separate from the seemingly untrustworthy rollup updates.
(Don’t take my word for it, check the litany of comments here.)
I spoke with several people at the Microsoft Exchange Conference back in September who said they typically wait anywhere from two to nine weeks before downloading and installing a rollup, especially after Microsoft’s past troubles.
But security hotfixes are high priority and shops should download them sooner than later. Now, with all the releasing, pulling back and subsequent rereleasing, many IT pros are worried whether rollups that include the security fixes are free of problems.
What do you think? Should rollups and security hotfixes be independent of each other? Do you have any other comments regarding Microsoft QA? Let me know.