Stefan Goßner

Senior Escalation Engineer for SharePoint Products and Technologies

Common Question on Hotfixes, Security Updates and Non-Security related Public Updates for SharePoint

Common Question on Hotfixes, Security Updates and Non-Security related Public Updates for SharePoint

  • Comments 20
  • Likes

One question I receive more or less with any CU release I publish on my blog is whether the CU includes previously (or on the same day) released public updates as well. The answer is YES.

All changes implemented for a public update or security fixes are also rolled up into our cumulative updates.

So if you have a CU installed there is no need to install older or on the same day released public updates.

Related Info:

  • Thanks for this explanation.
    I think this is dangerous because CU are not so well tested and it is said to install CU only if we have a problem.
    But if I want for fix a problem with July CU, it will install as you said all the previous CU I dont realy need.
    Am I so wrong ?


  • Hi Etiennel,,

    a CU is cumulative and consists of all fixes previously released.
    But PUs are not much different. They include all fixes previously created for the component - independent if the fix was created for a CU or a PU.
    The main difference is that a PU is usually targeting a smaller aspect of the product - and that it is usually undergoing longer testing.

    With other words: there is no way NOT to install previous fixes if you are installing a fix.


  • Thanks Stefan

  • Hello Stefan,
    I'm curious why Microsoft started to release public updates for SharePoint Server 2013 since as far as I understand you should only install updates if an error is fixed which occured in your environment.

    Since those public updates don't change the farm version they would be installed without giving the farm admin a chance to see them as a potentiel source of error.

    In which scenario would you recommend installing a public update rather than installing the current CU (which now is released every month)?

  • Hi Andreas,

    Microsoft is releasing public updates for all products since a long time. E.g. Security fixes are public updates. Other non security related public updates are fixes which address issues which can affect a huge number of customers.
    So there is nothing new here with SP 2013.

    The Farm version is actually defined by a dll coming with SharePoint foundation - which is part of SharePoint server. If this dll is included in the public update because the change affects this dll, then the farm version should be also updated.


  • Regarding your last question - I have explaned that in detail in this article:

  • Thanks for your explanation, great work you're doing here. So you're saying that those public security updates should be installed in every scenario, because every farm is in harm by security issues? Or does the general approach "only install SharePoint Updates if it's fixing an error which limits your farm" not fit for those security updates?

  • Hi Andreas,

    security fixes are recommended to be installed on all farms.
    It should be clear that you need to evaluate the fix in a test environment to verify that the fix does not bring any side effects to your application.


  • Hello Stefan,
    As a clarification , the CU updates include all the security updates as i understand. So if i install for example December 2014 CU then the Microsoft SharePoint Foundation Elevation of Privilege Vulnerability (MS14-073) would be automatically installed.
    Is this correct? or do they need to be addressed separately?

  • Hi Cristian,
    your understanding is correct.


  • Hi Stefan. Thanks for your patience in explaining all of this to us! I am getting ready to install 2013 and going through the list of CUs since SP1. Should I patch my brand new installation of SharePoint up to and including the latest CU before moving forward with other configurations?

    Also, I looked at the Excel list of fixes included in SP1. The KB is listed in there. The SP was released in April but I don't see KB2767999 listed. That update was in March 2013 so if previous updates are in subsequent ones why is this KB not listed in the SP1 list of fixes? Hopefully that's clear :)

    Thanks again for helping us out!

  • Hi Rich,

    I'm not involved in the creation of this excel list. All fixes released before SP1 are included in SP1.
    The general recommendation is that service packs and security fixes should be installed as soon as possible while CUs should be installed if required or advised by Microsoft support.


  • Are CUs released at the end of each month or a specific day of the month (i.e. 2nd Tuesday)?

  • Hi Greg,

    the plan is to release them on 2nd tuesday but they can slip if problems are identified shortly before release.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Raw Html Fix