Sharepoint Cumulative Updates are not always cumulative

And this could be a security issue

SharePoint Server patching is one of the regular maintenance tasks SharePoint admins are concerned with. How regular? Ideally - monthly, but we don’t live in ideal world. If SharePoint farm has not been patched for a couple of months or couple of years, it’s no big deal - just install the latest Cumulative Update and have all fixes in place, right? Wrong!

Security is not always included

But isn’t that why SharePoint updates are called “cumulative”? Aren’t they supposed to include all previous updates? They are, but there is a catch. Regular application fixes and improvements are rolled into these updates, and installing latest language-independent and language-dependent packages updates the farm to the latest and greatest. What sometimes is missing from CU is security updates. And, if security updates are not included into one of the packages, it means there are no previous security fixes there too.

So, this is actually very important - miss it and you may spend your time on updating SharePoint and don’t get security vulnerabilites patched!

How to tell if a particular Cumulative Update has security fixes or not?

It’s very easy, actually. Microsoft specifies this in the very title of each KB released with a Cumulative Update. Here is a couple of examples:

This KB5002277 here is a language-dependent part of October 2022 CU for SharePoint Server 2019. It’s full title is “October 11, 2022, update for SharePoint Server 2019 Language Pack (KB5002277)”. /sharepoint-patches-are-not-always-cumulative/no-security.png Does it say anything about security? No. It means there is no security rollup here.

Now, let’s take a look at the second KB released in the same CU, language-indepdent KB5002278. /sharepoint-patches-are-not-always-cumulative/security.png This is quite different, right? The full title reads “Description of the security update for SharePoint Server 2019: October 11, 2022 (KB5002278)”. Also, at the very beginning of the article there is a list of CVEs that this security update patches. In the matter of fact, it would also include all previous applicable security patches.


Now, some extra disclaimers, as I was not able to find any information or posts backing my fidings: I’m not (and never were) Microsoft employee, not affiliated with Microsoft and don’t have any sources within Microsoft to confirm material in this article. However, what I described here is based on my own experience.

How exactly I found this and how can I be sure it’s correct? Click if you are interested. I saw this in one of organizations I worked for. They got a security tool that scans all servers for vulnerabilities and that tool, of course, detects vulnerabilites reported for SharePoint Server. The tool also suggests a patch that patches a given vulnerability. So the first time we did patching for SharePoint with this security scanner being active, the expectation was that most of the detected vulnerabilities would go away from the tool output. However, this was not the case - only some of the vulnerabilities were patched. As I found out the CU that was installed had only language-independent KB marked as a “security update”, like in the example above. Once we had a chance to install next CU, which had both KBs marked as a “security update”, the security scanner and our InfoSec team were satisfied.