Skype for Business 2015 Server CU8a or CU9?

UPDATE 13/March 21:48 – Microsoft is updating now the info. It’s March2019 update to address a security vulnerability (CVE-2019-0798).Specific details here:
Microsoft Lync Server/Skype for Business spoofing cross site scripting
Better start planning to rollout March/2019 CU9 then! (and Lync 2013 Server if you still use)

I downloaded all the cumulative updates as soon as they are released. I like to keep an history and peek on the changes. Today I need to get the January/2019 CU8, but my repository was unavailable. So I went to official CU download site, but I noticed that the date published was from yesterday, but pointing the the KB3061064 (?!). When I got back the access to my repository, I noticed that this file also has a different version:
SfBupdate-list

Now I have two January/2019 CU with different versions (6.0.9319.537 and 6.0.9319.544) and different file sizes.
Time to dig and spot the differences: there are two msp files that changed:

OcsCore.msp

diff-ocscore
Two noticeable changes:
– non-US dll language files: they were compiled in different dates, but still have the same version number
– The Tracing files (used by CLS/OcsLogger tracing tool). These one have some significant changes:
diff-trancing

EnterpriseWebApp.msp

The files on both packages have the same size, but a ‘look inside’ reveals one particular difference: the ‘Lync.Client.Common.Consolidated.js’ is different.
diff-enterpriseWeb.png

A closer look reveals 5 lines of codes changes (one seems an additional protection)
diff-javascriptupdate

So… since MS didn’t update any documentation so far:

  • Is this CU8 republished?
    If so, MS will now have customers with different files for the same CU
  • Is this a CU9 (or a Cumulative Security update -SU-)?
    It could be, since the date matches the usually releases cycles.

Running the cumulative update installer on a Front-end server with January2019 CU8, confirms the patches changes on the identified components:

unNamedCU

The point the a KB4492303 and KB4492302 that don’t exist.

My guess now is that this is a CU9 or SUx and the documentation team is on vacations this week 😉

But some IT engineers might believe that they are downloading and installing CU8 today.

Advertisements

One thought on “Skype for Business 2015 Server CU8a or CU9?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s