Your Ultimate Guide to Exchange Server 2016 Cumulative Updates (CUs) & Security Updates (SUs): Downloads & Key Information

Your Ultimate Guide to Exchange Server 2016 Cumulative Updates (CUs) & Security Updates (SUs): Downloads & Key Information

Microsoft Exchange Server 2016 has been a reliable workhorse for many organizations, providing essential email, calendaring, and collaboration services. As this version transitions through its lifecycle, particularly into extended support, keeping it updated with the latest Cumulative Updates (CUs) and, more critically, Security Updates (SUs) is paramount. These updates are vital for protecting against emerging security threats, addressing known bugs, and ensuring the platform remains as stable and performant as possible within its support boundaries. Overlooking these updates can leave your systems vulnerable and unsupported, potentially leading to significant operational disruptions or security incidents. This guide is crafted to serve as your comprehensive resource for navigating the updates for Exchange Server 2016. We will explore the nuances of CUs and SUs specific to this version, provide a detailed list of these updates with their build numbers and release dates, and offer direct links to Microsoft’s official download pages or Knowledge Base articles. Furthermore, we will cover essential practices for maintaining your Exchange 2016 environment. If you are managing an Exchange 2016 deployment and need clarity on its update path or are considering your options as it nears the end of its lifecycle, this article will provide the necessary details. For organizations requiring assistance with Exchange 2016 updates, security hardening, or planning a migration to a newer platform, MedhaCloud offers expert Exchange Server support and migration services.

Understanding Updates for Exchange Server 2016

For Exchange Server 2016, the update strategy revolves around two main types of releases from Microsoft: Cumulative Updates (CUs) and Security Updates (SUs). Understanding their roles is key to effective server management.

Cumulative Updates (CUs): Similar to Exchange 2019, CUs for Exchange Server 2016 are full builds of the product. Each CU includes all previously released CUs and SUs for Exchange 2016. When you install a CU, you are effectively upgrading your Exchange 2016 installation to that specific build level. Microsoft typically released CUs for Exchange 2016 on a quarterly or semi-annual basis during its mainstream support phase. These updates contain fixes for customer-reported issues, stability improvements, and all prior security patches. Because each CU is a complete version, you can install the latest CU directly, regardless of which previous CU (or RTM version) your server is currently running. For instance, if your server is on CU18 and CU23 is the latest, you can upgrade directly to CU23. Microsoft’s recommendation has always been to stay on the latest or the immediately preceding (N-1) CU to remain in a supported state.

Security Updates (SUs): Security Updates are critical patches released to address specific security vulnerabilities identified in Exchange Server 2016. These are released as needed, often as part of Microsoft’s monthly Patch Tuesday cycle. SUs are not full builds; they are smaller packages designed to patch vulnerabilities on an existing CU. Crucially, SUs are CU-specific. An SU released for Exchange Server 2016 CU23, for example, is intended only for servers already running CU23. If your server is on an older CU, you must first upgrade to the CU for which the SU is designed (or a later CU that incorporates those security fixes) to apply that SU. Given that Exchange 2016 is in extended support (mainstream support ended in October 2020, and extended support is scheduled to end in October 2025), SUs are the most frequent and critical updates you will encounter for this version.

Lifecycle Considerations: As Exchange Server 2016 is in extended support, Microsoft primarily provides security updates. New features are no longer introduced. It is vital to apply all relevant SUs promptly. Organizations still running Exchange 2016 should also be actively planning their migration strategy to a newer version of Exchange Server (like Subscription Edition) or to Exchange Online (Microsoft 365) before the end-of-support date in October 2025 to avoid running an unsupported and potentially insecure system.

Latest Recommended Update for Exchange Server 2016

To maintain the security and stability of your Exchange Server 2016 environment, especially as it progresses through its extended support lifecycle, applying the latest available Cumulative Update (CU) and all subsequent Security Updates (SUs) is essential. As of our last data review (early 2025), the final major Cumulative Update released for Exchange Server 2016 was Exchange Server 2016 CU23. This CU serves as the baseline for ongoing Security Updates.

Following the release of CU23, Microsoft has continued to release SUs to address new vulnerabilities. For example, Exchange Server 2016 CU23 Mar24SU (KB5036386), released on March 12, 2024, and potentially later SUs like Exchange Server 2016 CU23 Nov24SU (KB5044062) or Exchange Server 2016 CU23 Apr25HU (KB5050674) would be critical for servers running CU23.

Key Recommendations for Exchange 2016:

1. Ensure you are on CU23: If your Exchange 2016 servers are not already on CU23, you should plan to upgrade to this version as it is the servicing baseline for the latest SUs.
2. Apply All Subsequent SUs: Once on CU23, diligently apply all SUs released for CU23 in chronological order, or at least the latest available SU which is typically cumulative for that CU.
3. Verify with Official Sources: Always confirm the very latest CU/SU information directly from the Microsoft Exchange Server Build Numbers and Release Dates page (this page covers multiple Exchange versions including 2016) and the Microsoft Security Update Guide.

For direct access to the download for Exchange Server 2016 CU23 (KB5020999), you would typically visit the Microsoft Download Center (the original download link was https://www.microsoft.com/download/details.aspx?id=104759, but always verify). For specific SUs like KB5036386, refer to its support article.

Given that Exchange 2016 will reach the end of its extended support on October 14, 2025, applying these final updates is crucial for short-term security while actively pursuing migration to a supported platform. If you need assistance with this process or with planning your migration, MedhaCloud’s Exchange experts are ready to help.

Comprehensive List of Exchange Server 2016 Cumulative Updates (CUs)

Cumulative Updates (CUs) for Exchange Server 2016 are full installations that include all previously released fixes and features up to that point. The final major CU for Exchange 2016 was CU23, which now serves as the baseline for all subsequent Security Updates. Below is a list of CUs for Exchange Server 2016, with release dates, build numbers, and links to download pages or KB articles. Direct download links for older CUs may be retired by Microsoft.

(Note: This table is not exhaustive for all historical CUs. Focus is on more recent CUs leading to the final CU23. Always verify build numbers and download links via official Microsoft channels.)

Comprehensive List of Exchange Server 2016 Security Updates (SUs)

Security Updates (SUs) are critical for Exchange Server 2016, especially now that it is in extended support. These updates address vulnerabilities and are specific to a CU level, primarily CU23. Always consult the Microsoft Security Update Guide for the absolute latest SU information.

Patching your Exchange 2016 servers, especially with the latest SUs for CU23, is non-negotiable for security. If you require assistance in applying these updates or formulating a migration strategy before the October 2025 end-of-support, MedhaCloud’s Exchange specialists can provide expert guidance and support.

How to Check Your Current Exchange 2016 Build Number

Identifying the current build number of your Exchange Server 2016 installation is a crucial first step before any update. This tells you which CU and SUs are installed. The Exchange Management Shell (EMS) is your tool for this:

1. For a summary including the AdminDisplayVersion (reflects CU level):

   powershell Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion, ServerRole

   The AdminDisplayVersion will show something like Version 15.1 (Build xxxx.x).

2. For the precise file version of ExSetup.exe (most accurate build):

   powershell Get-Command ExSetup.exe | ForEach-Object {$_.FileVersionInfo}

   The ProductVersion or FileVersion (e.g., 15.01.2507.006 for CU23 RTM) can be cross-referenced with Microsoft’s build lists.

Keeping track of your build numbers helps ensure you apply the correct sequence of updates.

Important Considerations Before Updating Exchange Server 2016

Updating Exchange Server 2016, especially now that it is in extended support and nearing its end of life (October 2025), requires meticulous planning. While the urgency is primarily around Security Updates (SUs), applying them correctly on top of the final Cumulative Update (CU23) is crucial. Here’s what to keep in mind:

1. Confirm You Are on CU23: Exchange Server 2016 CU23 is the baseline for the latest SUs. If you are on an older CU, you must upgrade to CU23 before applying recent SUs. This is a full installation process.
2. Read SU Release Notes Diligently: Each SU KB article contains vital information about prerequisites, specific fixes, known issues, and installation instructions. Pay close attention, as these are your primary defense against new vulnerabilities.
3. Comprehensive Backups are Non-Negotiable: Before any update, especially a CU upgrade to CU23 or applying SUs:
   • Full System State backups of Domain Controllers.
   • Complete Exchange server backups (OS, databases, logs).
   • Backups of Exchange customizations (OWA, web.config, third-party tools). Always verify restorability.
4. Test SUs in a Lab (If Possible): While CU23 is old, if you have a lab, testing SUs on a CU23 build can help identify issues before they hit production. This is less critical than for new CUs but still good practice if resources allow.
5. Active Directory (AD) Health and Prerequisites (for CU23 upgrade):
   • If upgrading to CU23 from an older CU, check if AD schema updates (PrepareSchema, PrepareAD, PrepareDomain) were required by CU23 or any intermediate CUs you might be skipping. CU23 itself did not introduce new AD prep requirements if you were on a relatively recent CU, but always verify against the CU23 release notes if coming from a very old version.
   • Ensure AD health (DCDIAG, REPADMIN) is optimal.
6. .NET Framework Version: Exchange 2016 CU23 has specific .NET Framework requirements (typically .NET Framework 4.8). Ensure this is installed before attempting to install CU23 or subsequent SUs, as SUs inherit the CU’s .NET requirements.
7. Plan for Downtime: Upgrading to CU23 will require a significant maintenance window. SUs typically require a reboot and thus a shorter maintenance window. Communicate all planned downtime clearly.
8. Update Order in DAGs: When upgrading to CU23 or applying SUs in a Database Availability Group (DAG):
   • Place the DAG member in maintenance mode.
   • Update Mailbox servers first. Generally, update non-internet-facing (backend) before internet-facing Mailbox servers.
   • Edge Transport servers (if any) are usually updated last.
9. Antivirus Exclusions: Verify that your antivirus software has the correct exclusions for Exchange Server to prevent interference.
10. Run as Administrator: Always install CUs and SUs using elevated privileges.
11. Sufficient Disk Space: Ensure adequate free disk space for the update files and the installation process.
12. Third-Party Integrations: Check compatibility of any third-party tools with CU23 and the SUs you are applying. Given the age of Exchange 2016, some vendors may have limited support.
13. End-of-Life Planning: The most critical consideration for Exchange 2016 is its upcoming end of extended support in October 2025. While applying SUs is vital for short-term security, your primary focus should be on migrating to Exchange Server Subscription Edition or Exchange Online. Contact MedhaCloud to discuss your migration strategy from Exchange 2016.

Careful attention to these points will help ensure your Exchange 2016 servers remain as secure as possible while you plan your transition to a supported platform.

General Installation Guidance for Exchange Server 2016 Updates

This section provides a high-level overview for installing Cumulative Updates (specifically upgrading to CU23 if not already there) and Security Updates (SUs) on Exchange Server 2016. Always consult official Microsoft documentation for the most detailed and current procedures.

For Upgrading to Cumulative Update 23 (CU23):

1. Preparation: Complete all relevant steps from the “Important Considerations” section (backups, AD health, .NET Framework 4.8, etc.).
2. Download CU23: Obtain the Exchange Server 2016 CU23 ISO file (KB5020999) from the Microsoft Download Center.
3. Mount ISO: Mount the ISO on the Exchange 2016 server.
4. Prepare Active Directory (if necessary): If upgrading from a very old CU, verify if CU23 or intermediate CUs required AD preparation steps (PrepareSchema, PrepareAD, PrepareDomain). If so, execute them with appropriate permissions and wait for replication.
5. Server Maintenance Mode (DAGs): Use scripts like StartDagServerMaintenance.ps1 or manually perform maintenance steps for DAG members.
6. Run Setup: From an elevated command prompt or PowerShell, navigate to the ISO and run Setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON (or IAcceptExchangeServerLicenseTerms if the diagnostic data switch is not applicable/desired for this older version – check CU23 release notes).
7. Follow Wizard: The setup wizard will perform readiness checks and guide the upgrade.
8. Reboot: A reboot is required post-CU installation.
9. Post-Installation Checks: Verify event logs, services, mail flow, OWA/ECP, and the server build number.
10. Exit Maintenance Mode: Reverse maintenance steps for DAG members.

For Security Updates (SUs) on CU23:

1. Preparation: Read the SU’s KB article, perform backups.
2. Download SU: Get the .msp file from the Microsoft Update Catalog or the KB article link.
3. Run as Administrator: Right-click the .msp file and select “Run as administrator” or use msiexec /update <PatchFileName.msp> from an elevated command prompt.
4. Follow Prompts: Installation is usually straightforward.
5. Reboot: Most SUs require a server reboot.
6. Post-Installation Checks: Verify event logs, services, basic functionality, and that the build number reflects the SU installation.

Key Official Microsoft Resources:

• Exchange Server Build Numbers and Release Dates: Microsoft Learn (includes 2016)
• Install Exchange Cumulative Updates: Microsoft Learn
• Specific SU KB articles.

Given Exchange 2016’s lifecycle stage, meticulous adherence to Microsoft’s guidance for CU23 and subsequent SUs is critical.

Troubleshooting Common Exchange 2016 Update Issues (Optional Section)

Even with careful planning, issues can arise when updating Exchange Server 2016, particularly when applying SUs to the aging CU23 baseline.

1. CU23 Upgrade Failures:
   • Readiness Checks: Common culprits include incorrect .NET Framework versions (ensure 4.8), pending reboots, AD preparation steps missed (if coming from very old CUs), or insufficient permissions.
   • Setup Logs: C:\ExchangeSetupLogs\ExchangeSetup.log is your primary diagnostic tool.
2. SU Installation Problems:
   • Error during .msp installation: Ensure you are running as administrator. Sometimes, a previous SU might not have fully completed (pending reboot). Antivirus interference is also possible.
   • OWA/ECP Issues Post-SU: This can occur due to IIS misconfigurations. Running UpdateCas.ps1 and UpdateConfigFiles.ps1 (from Exchange Bin directory) followed by iisreset might help. Always check the SU’s KB for known issues or post-install steps.
   • SU shows as still needed after install/reboot: This can be due to detection logic issues or incomplete installation. Try downloading the SU manually from the Microsoft Update Catalog and installing from an elevated command prompt.
3. Service Failures: Check Application and System event logs for errors related to Exchange services that fail to start post-update.
4. DAG Issues: Ensure all DAG members are on the exact same CU and SU level. Mismatches can cause replication and failover problems.

General Troubleshooting Resources:

• Event Viewer: Application, System, and specific Exchange logs.
• Exchange Setup Logs: C:\ExchangeSetupLogs.
• Microsoft Tech Community – Exchange: Tech Community.
• Official Microsoft Documentation & KB Articles.

For persistent issues, especially with a platform nearing end-of-life, consider if the effort to troubleshoot outweighs the benefits compared to accelerating migration plans. MedhaCloud can assist with both troubleshooting and strategic migration. Get expert Exchange 2016 support here.

Conclusion: Securing Exchange 2016 and Planning for the Future

Maintaining Exchange Server 2016 with the latest Security Updates on top of CU23 is a critical responsibility for administrators as this version approaches its October 2025 end-of-support date. While these updates provide essential protection against known vulnerabilities, they do not change the fact that the platform is aging and will soon be unsupported. This guide has provided a roadmap for understanding and applying these vital updates, including lists of CUs and SUs, build numbers, and key installation considerations.

The primary takeaway for Exchange Server 2016 administrators should be twofold: Patch diligently now, and plan aggressively for migration. Continuing to run Exchange 2016 beyond October 2025 without Microsoft support poses significant security and operational risks.

MedhaCloud specializes in helping organizations navigate the complexities of Exchange Server management, including securing legacy environments like Exchange 2016 and executing seamless migrations to modern platforms such as Exchange Server Subscription Edition or Microsoft 365. Don’t wait until the last minute. Contact MedhaCloud today to secure your Exchange 2016 environment and plan your successful migration.

We encourage you to use the information in this guide to keep your Exchange 2016 servers as secure as possible in their final phase. What are your biggest challenges with Exchange 2016, and what are your migration plans? Share your thoughts in the comments below.

Further Reading in this Series:

• Looking for Exchange 2019 info?
• Need details on Exchange 2013?
• Learn about the latest on-premises offering: