Exchange 2007 SP3 RU17 – what you need to know

A total of 17 update rollups… imagine that, 17! That’s a lot of RUs for Exchange 2007, but that’s where we are with the most recent release of RU17 for Exchange 2007 Service Pack 3 that came out in June. For those of you still managing Exchange 2007 servers in your environment, you may want to just run out and grab the latest RU now, which you can do from http://www.microsoft.com/downloads/details.aspx?FamilyID=549f3488-98d9-4475-b7f8-7d4de68c325d. But before you do, there’s some things you ought to know about to ensure you have as smooth an install as possible.

2003 is unsupported

This should come as no surprise, but of course, since Windows 2003 is end of life, this RU is not supported on 2003, even though Exchange 2007 SP3 is. If you still have any Exchange 2007 servers running on Windows 2003, it is way past time you retired those boxes.

Perform a full backup

I’d say this should go without saying, but actually it really should be said. Perform a full backup of the Exchange databases, the system state, and all custom settings (see next section) before you begin to deploy RU17.

Things you will lose and must redo

Deploying an RU on Exchange 2007 can overwrite/undo customizations you have put into place. Make sure you backup or make a copy or an export of the following, so you can reapply them after you reboot.

• Outlook Web Access customized web pages
• Customized RPC Proxy settings

Internet access should be permitted

Like any other RU, Windows will attempt to verify the CRL for the code-signing certificate used to sign RU17. If your Exchange servers cannot access the CRL endpoint over TCP 80, the install will take an inordinately long time to install as each CRL check times out. I’m not going to tell you how to bypass that, as in my opinion, bypassing certificate checking is lunacy. If you really want to do that, go Bing “Check for publisher’s certificate revocation” to see how to turn it off, but then turn in your ‘sekuritah’ card, because disallowing CRL checking in the name of security is like holding an AA meeting in a bar. You’re doing it wrong.

Disable antivirus software

Most antivirus software can interfere with, or even cause applying an RU to fail. Disable antivirus software before you begin the install. Just make sure you remember to re-enable it after you are done.

Uninstall Interim Rollups

For starters, if you have installed any interim rollups, uninstall them before you try to install RU17 or else it will fail. The easiest way to do this is to go into Control Panel, Add/Remove Programs, Installed Updates, and sort by name. If you see “Interim Update for Exchange Server 2007” uninstall it.

Installation order

Start at the edge and work your way inward; edge, CAS, Hub Transport, Mailbox, Unified Messaging. If you are doing CAS-CAS proxying, deploy to the Internet facing CAS first. If you are running clustered mailboxes, you must fail over the services to one node while you apply the RU to the other, then complete and failback before you update the other node. See https://technet.microsoft.com/en-us/library/bb676559(v=exchg.80).aspx for more on this.

What this RU resolves

For all that work, this RU is actually pretty small if you are current through RU16. Only one additional issue is resolved, KB 3057222 “InvaIidOperationException” error and cannot open digitally signed or NDR messages in FIPS-enabled Exchange Server 2007.

Once installed and reboots complete, run your testing scripts to ensure all services are back up and running, and you’re done. Well, at least for now. This is where I remind you that the 2007 in Exchange 2007 means it first shipped almost 8 years ago, and sometime this year will be considered the N-3 platform! True, the support lifecycle for Exchange 2007 does not end until March 11, 2017 but it is in extended support now, and you will not be able to directly upgrade your Exchange org from 2007 to 2016. If you are considering that as your next platform, you’re in for a nasty double-hop upgrade. You can go from 2007 to 2013, and that may be what you want to do, which is fine, but better for you to start now, then to wait until 2017!