Failed Exchange Server 2013 CU2 & CU3 install due to security update 2874216 (updated again)

Reading Time: 4 minutes

Today a customer asked for my help because an installation of Exchange Server 2013 Cumulative Update 2  (v2) had failed; Their Exchange environment didn’t work anymore and they were stuck.

During the installation from Cumulative Update 1 (CU1) to Cumulative Update 2 (CU2), they encountered the following error:

Unable to remove product with code 4934d1ea-be46-48b1-8847-f1af20e892c1. Fatal error during installation. Error code is 1603. Last error reported by the MSI package is 'Unable to install because a previous Interim Update for Exchange Server 2013 Cumulative Update 1 has been installed.  Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.'.

As specified in the release notes (although I can’t find this remark anywhere anymore), every interim update has to uninstalled before installing a Cumulative Update. However, if you look at installed Exchange updates (be sure to click Installed Updates, within Programs and Features) it isn’t very clear that it is an interim update. In this case the only Exchange related update was KB2874216, which is regarded as a security update. It had it’s own set of problems resolved in the re-release. The version 2 of this update was released August 27th and it was installed on September 4th directly via Windows Update (no WSUS). Although the screen (see below) suggest that v1 was installed, I think it’s reasonable that v2 was installed. Also, the registry fixes weren’t manually applied but were correct (so there were no issues with content indexing). Click on picture to get a larger version:


However, after the failed CU2 install it wasn’t possible to remove this update. The uninstall starts, but just stops without any error window. Restarting the CU2 installation (an often successful strategy with Exchange 2010 rollup updates) also fails.

This was probably because lot of (Exchange) services were disabled due to the halted CU2 installation, which is expected. Unfortunately these services weren’t set to their correct state after exiting the update installer. They were not started and some did not start because their dependencies weren’t started.

After starting relevant services (most important: Remote Registry) manually I could remove the Interim Update. Funny thing was that a window appeared requesting the CU1 installation source; probably to restore the original files replaced by the security update (flashback to the Exchange 2003 era…). Just point to a folder with the extracted CU1 install. It will not remove Exchange. After that I could finally successfully install Cumulative Update 2 version 2 (CU2v2).

I’m not sure why this happened, whether this is a fluke or systematic. It appears to have occurred at least once before. Perhaps it doesn’t occur more frequently because Exchange admins are currently more hesitant to install updates quickly due to persistent quality issues. This scenario shows that it seems to be a wise strategy…

Update 25 September 2013
: I’ve found a similar case here, however it’s dated before the v2 release of KB2874216.

Update 25 September 2013 2
: Error message wasn't correct, extra unrelated information removed.

Update 27 September 2013: I can confirm this issue can be reproduced in a lab environment.

the security update, you can update from CU1 to CU2 without issue. With
the security update, every time the error appears in step 3 Removing
Exchange Exchange Files. See the screenshot:


The ExchangeSetup.log basically shows the same information and doesn’t provide extra information.

After uninstalling this security update (see above for some tricks), the upgrade from CU1 to CU2 is successful.

is no relation on Windows patches that I could detect and no relation
on which Exchange role is installed (Multi, Client Access or Mailbox).

Todd Nelson also pointed towards the comments below this Exchange Team blog post where it is explicitly stated that security updates do not have to be removed before CU installation. It is in the comment section though, it could be that it is an unofficial remark.

Paul Cunningham correctly notes, that after CU2 has finally been installed successfully, you have to install the Security Update For Exchange Server 2013 CU2 (KB2874216). Let’s hope that the issue is fixed for CU3.

Update 27 November 2013: I've received several reports that
this issue is still present while installing CU3. The same procedure
described in this post still seems to work. I haven't confirmed this
myself (yet).

In the meantime (even before CU3 was out) I also
discovered that Server Component states could have the status inactive if the CU install failed and even if you eventually completed the CU
install successfully afterwards. This is because the CU installer sets Components
inactive with a requester (Functional) other than a lot of maintenance scripts or
manuals use, it could be that with troubleshooting a different requester still has the component set to Inactive. So, best to check your Component States! You can see the state and
the requester used to set the state in EMS with:

$states = Get-ServerComponentState -Identity <servername>

You can set the state to active again with:

Set-ServerComponentState -Identity <servername> -Component <name> -Status Active -Requester <name requester>

Check this Exchange Team blog post on Exchange 2013 Server Components for more information on this subject, an important read even if you didn't have any issues while installing CU's. This was also discussed in The UC Architects podcast episode 30.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.