Why MS Exchange Security Updates come in pair?

Question

I need to install this security update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24463 on Windows Server 2016.

Why there are two items for Windows Server 2016? Should I install only Update 22 because it includes Update 21?

If I need to install both, should I install first Update 21 then Update 22? More in general why do these patches come in pair?

Release Date    Product Impact  Severity    Article Download    Details

Mar 8, 2022     Microsoft Exchange Server 2019 Cumulative Update 11 Spoofing    Important   5012698 Security Update CVE-2022-24463
Mar 8, 2022     Microsoft Exchange Server 2016 Cumulative Update 22 Spoofing    Important   5012698 Security Update CVE-2022-24463
Mar 8, 2022     Microsoft Exchange Server 2019 Cumulative Update 10 Spoofing    Important   5012698 Security Update CVE-2022-24463
Mar 8, 2022     Microsoft Exchange Server 2016 Cumulative Update 21 Spoofing    Important   5012698 Security Update CVE-2022-24463

score 2 · Accepted Answer · answered Mar 09 '22 at 11:08

2

Regarding Exchange, Microsoft supports the two latests CUs. At this time, the latest Exchange 2019 CU is CU11, therefore, Microsoft provides Security Updates for CU11 and CU10.

So:
If you are running Exchange 2019 CU11, then install Security Update For Exchange Server 2019 CU11 (KB5012698)

If you are running Exchange 2019 CU10, then install Security Update For Exchange Server 2019 CU10 (KB5012698)

Learn more about Exchange Server Updates here: Why Exchange Server updates matter - Microsoft Tech Community

Overview of CU and SU for Exchange 2019

answered Mar 09 '22 at 11:08

Swisstone

6,357
7
21
32

How do I check what CU I am currently running? – abenci Mar 09 '22 at 15:26
1

@abenci there is a procedure here: https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2016 – Swisstone Mar 09 '22 at 15:54

Why MS Exchange Security Updates come in pair?

1 Answers1