Applies to: Exchange Server 2007 SP3
Topic Last Modified: 2010-03-29

This topic describes how to deploy the latest service pack or update rollup for Microsoft Exchange Server 2007. Service packs and update rollups are part of the servicing strategy for Exchange 2007. They provide an effective and easy-to-use method to distribute Exchange 2007 fixes and Exchange 2007 modifications. We recommend that you install the latest service pack and update rollup to keep the product up to date.

Planning to Deploy the Latest Service Pack or Update Rollup

The way that Exchange 2007 updates are delivered differs from the way that earlier versions of Exchange are serviced. The new service method offers many advantages over earlier methods. Before you install an Exchange 2007 service pack or update rollup, we recommend that you review the Exchange 2007 Servicing topic. This topic contains more information about the updates that are included in a service pack or update rollup, and the methodology behind the Exchange update process.

Additionally, verify that your account has the appropriate permissions to install a service pack or update rollup. When you install an update rollup, the account that you use must be a member of the Local Administrators group and have permission to read Active Directory on the Exchange object. The account must also have server-level permissions. This is because the update program must determine which server roles are installed on the server. If the account does not have the required permissions, Outlook Web Access may not be updated correctly.

Note:
Applying service packs and update rollups to clustered Mailbox servers requires specific planning and application steps. For more information about how to apply service packs to Exchange 2007 clustered Mailbox servers, see Upgrading Clustered Mailbox Servers to Exchange 2007 SP1 or SP2. For more information about how to apply update rollups to Exchange 2007 clustered Mailbox servers, see Applying Exchange 2007 Update Rollups to Clustered Mailbox Servers.

You can use the following list as a pre-deployment checklist to help you deploy an Exchange 2007 service pack or update rollup:

  1. Determine the service pack level of Exchange.

    Update rollups are service pack dependent. For example, an Update Rollup 5 package is available for Exchange 2007 and for Exchange 2007 Service Pack 1. To determine the service pack level of Exchange, examine the ExchangeVersion property. For more information about how to view the ExchangeVersion property and about the build number that is associated with each Exchange version, see Exchange Server 2007: Platforms, Editions, and Versions.

  2. Determine which update rollup packages are installed on the computer.

    Installed update rollup packages appear in the Add or Remove Programs dialog box in Control Panel. To see the list of installed updates on Windows Server 2003, you must click to select the Show updates check box. On Windows Server 2008, you must click View installed updates. Update rollup packages appear as "Update Rollup N for Exchange Server 2007 KBNNNNNN." You can use this information to help determine whether any update rollup packages are installed on the computer.

  3. Determine whether any interim updates are installed on the computer.

    The Exchange 2007 servicing strategy allows for out-of-band fixes for certain Exchange issues. These fixes are known as interim updates. The issue or issues that an interim update resolves may be fixed in a later update rollup package. Before you install an update rollup package or a service pack, you must remove any interim updates from the computer. Interim updates appear in the Add or Remove Programs dialog box in Control Panel. These updates appear as "Interim Update for Exchange Server 2007 KBNNNNNN."

    Note:
    You can remove the interim updates on a per-computer basis. You do not have to remove all the interim updates from all the computers in the organization before you install an update rollup or a service pack.
  4. Locate addressed interim updates.

    Examine any interim updates to determine whether they are addressed in the update rollup or service pack that you plan to install. To do this, examine the Microsoft Knowledge Base article that corresponds to the interim update.

    • If the Knowledge Base article mentions that the issue is resolved in the update rollup package or service pack that you plan to install or in an earlier update rollup package or service pack, you can remove the interim update and then install the update rollup or service pack without the risk of experiencing the particular issue that the interim update resolves. In this scenario, you do not have to obtain a replacement interim update.

    • If the Knowledge Base article does not mention that the issue is resolved in the update rollup package or service pack that you plan to install, you must obtain a replacement interim update from Microsoft Customer Support Services (CSS). In this scenario, you must remove the interim update, install the particular update rollup package or service pack, and then install an interim update that is appropriate for the update rollup or service pack level of the computer.

    Important:
    Interim updates are created for a particular Exchange build. Therefore, an interim update that is suitable for Exchange 2007 Update Rollup 5 is not suitable for Exchange 2007 SP1 Update Rollup 6. You must contact CSS to obtain an interim update that is appropriate for the particular Exchange build that you are running. If the issue that the interim update resolves is fixed in the particular update rollup or service pack that you install, you do not have to obtain and install a replacement interim update.
  5. Obtain the latest update rollup package.

    For information about how to obtain the latest update rollup package that is available for the intended service pack level of the Exchange system, see How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007. After you install a service pack, you should install the appropriate update rollup for that service pack. For example, if you are running Exchange 2007 with Update Rollup 5, and you install Exchange 2007 SP1, we recommend that you obtain the latest update rollup package for Exchange 2007 SP1.

    Note:
    Although you could install the same update rollup package level as was installed on the earlier Exchange build, we strongly recommend that you install the latest update rollup package that is available for the service pack level of Exchange. This step makes sure that you benefit from the latest fixes for Exchange 2007.
  6. Verify that the common language runtime (CLR) supports the generatePublisherEvidence setting.

    When you install an update rollup package on a computer that is running a Microsoft .NET Framework build that does not support the generatePublisherEvidence setting, certain Exchange services may not start. If you are running the .NET Framework 2.0, install one of the following software updates:

Important Considerations

The following sections contain important items to consider before you deploy an update rollup package or service pack in an organization.

When Exchange cannot connect to the Internet

When you install an update rollup package or a service pack, Exchange tries to connect to the certificate revocation list (CRL) Web site.

If Exchange cannot connect to the CRL Web site, you may experience the following symptoms:

  • The installation takes a long time to complete.

  • You receive the following message during the installation:

    Creating native images for .Net assemblies.

This issue occurs because Exchange tries to examine the CRL to verify the code signing certificate each time that Exchange compiles an assembly into managed code. When Exchange is not connected to the Internet, each CRL request must time out before the installation can continue.

To work around this issue and to reduce installation times, turn off the Check for publisher’s certificate revocation option on the server that is being upgraded. To do this, follow these steps.

Note:
The Check for publisher's certificate revocation option is set on a per-account basis.
  1. Start Internet Explorer.

  2. On the Tools menu, click Internet Options.

  3. Click the Advanced tab, and then locate the Security section.

  4. Click to clear the Check for publisher’s certificate revocation check box, and then click OK.

  5. After the update rollup installation is complete, turn on the Check for publisher’s certificate revocation option.

For more information, see Microsoft Knowledge Base article 971445, Generating NGEN images takes longer than expected.

Outlook Web Access Customizations

When you apply a service pack or an update rollup package, the update process may update the Logon.aspx file. If you have modified the Logon.aspx file, the file cannot be updated successfully. Therefore, Microsoft Office Outlook Web Access may not be updated correctly. In this scenario, after the update process is finished, Outlook Web Access may display a blank page.

To work around this issue, rename the Logon.aspx file before you apply the service pack or update rollup. Then, after you apply the update, you must re-create the Outlook Web Access customizations in the Logon.aspx file.

We recommend that you make a backup copy of any customized Outlook Web Access files before you apply a service pack or update rollup. For more information about Outlook Web Access customization details, see Introduction to Outlook Web Access Customization.

For more information about how to create Outlook Web Access themes, see How to Create a Theme for Outlook Web Access.

CAS-CAS Proxying

If you have deployed CAS-CAS proxying, you must apply a service pack or update rollup to the Internet-facing Client Access servers before you apply the service pack or update rollup to non-Internet-facing Client Access servers. For other Exchange 2007 configurations, the order in which you apply a service pack or update rollup to the servers is not important.

For more information about CAS-CAS proxying, see Understanding Proxying and Redirection.

Slipstream Update Rollup Installations

Exchange 2007 does not support the slipstream installation of an update rollup during the installation of a service pack. 

The Exchange installation folder includes an Updates folder. When you perform a new Exchange installation, you can copy an update rollup to the Updates folder. In this scenario, the update rollup package is applied during the installation of Exchange.

The Updates folder supports a new installation of Exchange. The folder is not supported for use during a service pack installation. Therefore, you cannot include (slipstream) an update rollup together with the installation of a service pack. The slipstream installation of an update rollup during a service pack installing has not been tested. Therefore, you may experience unintended results. The following example scenarios show the supported use of the Updates folder.

Supported Use of the Updates Folder

Follow these steps to perform a supported upgrade installation:

  1. Install Exchange 2007 SP2 on a computer that is running Exchange 2007 SP1 together with Exchange 2007 Update Rollup 9.

  2. Install Exchange 2007 SP2 Update Rollup 2.

Follow these steps to perform a supported new installation:

  1. Copy the Exchange 2007 RTM files to a local directory on the server or to a network share.

  2. Put the appropriate update rollup package in the Updates subdirectory.

  3. Install Microsoft Exchange. The update rollup is automatically applied during the installation of Microsoft Exchange.

Using RPC Proxy Settings Other Than the Default Settings

If you use customized RPC Proxy registry settings, the settings may be overwritten by applying a service pack or update rollup. Therefore, we recommend that you back up any custom registry settings before you apply a service pack or update rollup.

General Backup Recommendations

We strongly recommend that you create the following backups before you install a service pack or update rollup package:

  • A full backup of all Exchange databases on the server

  • A system state backup of the server

Service Outage Considerations

When you install a service pack or an update rollup, the Setup program automatically stops the appropriate Exchange services and Internet Information Services (IIS)-related services. Therefore, during the installation process, the server may be unable to service user requests. We recommend that you install a service pack or update rollup during a period of scheduled maintenance or during a period of low business impact.

Deploying the Latest Service Pack or Update Rollup

The following sections contain information about how to deploy an Exchange 2007 service pack or an update rollup.

Where to Apply

You should apply service packs or update rollup packages to each Exchange 2007-based server in an environment. The update packages are not separated according to different Exchange server roles or for particular file configurations. Instead, the appropriate service pack or update rollup package should be applied to each Exchange 2007 server.

Order in Which to Apply to Servers

Unless you are running CAS-CAS proxying in your environment, the order in which you apply a service pack or update rollup package to servers is not important. However, we recommend that you apply service packs or update rollup packages to servers that are running the Client Access server role first. Then, apply the service pack or update rollup package to servers that are running the other Exchange server roles.

How to Apply

To apply a service pack or update rollup package to servers that are in a nonclustered environment, follow these steps:

  1. Follow the steps in the "Planning to Deploy the Latest Service Pack or Update Rollup" section to prepare for the service pack or update rollup installation. This includes contacting Microsoft Customer Support Services to obtain any replacement interim updates that you may have to apply.

  2. Use an account that has the appropriate permissions to log on to the server.

  3. Verify that the following items are backed up:

    • Exchange databases

    • System state

    • Custom settings

  4. Verify that the server can connect to the Internet. If the server does not have Internet access, temporarily turn off the Check for publisher’s certificate revocation option.

  5. Run the Setup program to install the service pack or update rollup package.

    Important:
    If you use Microsoft Update to install an update rollup package or if you install an update rollup package in silent mode, certain Exchange services may be disabled. This issue occurs if the update rollup package must update a file that is being used.
  6. When the installation is finished, start the Services MMC snap-in, and then verify that all the Exchange-related services were started successfully.

  7. Log on to Outlook Web Access to verify that this Web application is running correctly.

  8. Restore Outlook Web Access customizations, and then retest Outlook Web Access for correct functionality.

Removing Update Rollups

To remove an Exchange 2007 update rollup package that is installed on Windows Server 2003, open Add or Remove Programs in Control Panel, and then select the appropriate Knowledge Base number for removal.

To remove an Exchange 2007 update rollup package that is installed on Windows Server 2008, open Installed Updates in Control Panel, and then select the appropriate Knowledge Base article for removal.

Exchange 2007 SP2-Specific Information

To support coexistence with Microsoft Exchange 2010, Exchange 2007 SP2 creates the Exchange Trusted Subsystem (ETS) security group in the Microsoft Exchange Security Groups organization unit during Active Directory preparation setup. This group is then added to the Exchange 2007 server’s local administrators group during the installation of the SP2 binaries.

The ETS is a highly-privileged universal security group (USG) that has read and write access to every Exchange-related object in the Exchange organization. In Exchange 2010, all Remote PowerShell actions are run under the context of a Client Access server, which is a member of the ETS group. This means that for any action that acts against a local server resource, such as enumerating the IIS virtual directories, the ETS group needs sufficient rights to view or manipulate those local resources, depending on the action.