KB5021235 is December month’s cumulative update for Windows Server 2016 and Windows Server 2016 Server core installation. KB5021235 is part of the ‘Patch Tuesday’ project of Microsoft. This cumulative update replaced KB5019964 for Windows Server 2016. We discuss the salient points about KB5021235 below.
Salient points about KB5021235 cumulative update for Windows Server 2016
- KB5021235 has been superseded by KB5022289 cumulative update released in January 2023. Read more about KB5022289 here.
- KB5021235 is a cumulative update that supersedes the KB5019964 cumulative update for November 2022.
- KB5021235 also contains all the changes that were introduced as part of the out-of-band (OOB) update KB5021654. KB5021654 was released on 16th November 2022.
- We are moving from server build 14393.5501 from KB5019964 to server build 14393.5582 on KB5021235. On a similar basis, we will be upgrading from KB5021654 server build 14393.5502 to KB5021237 build 14393.5582.
- Servicing Stack Update KB5017396 corresponds to KB5021235. It needs to be deployed prior to the deployment of KB5021235 on Windows Server 2016.
- There are 21 security vulnerability disclosures for December 2022 in Microsoft’s security bulletin. Out of these, three are CRITICAL vulnerability threats. Details of each of these are shared below.
- KB5021235 for Windows Server 2016 is also valid for Windows Server 2016 Server core installation.
You can read more about November month’s cumulative update KB5019964 for Windows Server 2016 on this page.
Downloads for KB5021235 for Windows Server 2016
For manual deployment of KB5021235, you require MSU update files. These offline installer files are available from the Microsoft Update Catalog pages. Prior to installing KB5021235, you need to also install KB5017396 on Windows Server 2016.
The direct download links of the manual installer files are shared below:
| Cumulative Update/SSU Update | Download updates | Size of update |
|---|---|---|
| KB5017396 | Download KB5017396 | 11.6 MB |
| KB5021235 | Download KB5021235 | 1560.3 MB |
Security threats or vulnerabilities reported in KB5021235 for Windows Server 2016
- There are 21 vulnerability disclosures in December month’s security bulletin for Windows Server 2016.
- There are 6 Remote Code execution threats. 3 of these have CRITICAL severity and the other three have IMPORTANT severity.
- There have been eight ‘Elevation of Privilege’ threats. All these have IMPORTANT severity levels.
The CRITICAL RCE or Remote Code Execution threats are mentioned below:
| Vulnerability | CVSS Score | Severity | Description | Impact |
|---|---|---|---|---|
| CVE-2022-41076 | 8.5 | CRITICAL | Powershell RCE vulnerability | Remote Code Execution |
| CVE-2022-44676 | 8.1 | CRITICAL | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Remote Code Execution |
| CVE-2022-44670 | 8.1 | CRITICAL | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Remote Code Execution |
Post-deployment issues after installing KB5021235 for Windows Server 2016
After installing KB5021235, apps that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. You may also get the following errors:
- The EMS System encountered a problem. Message: [Microsoft][ODBC SQL Server Driver] Protocol error in TDS Stream.
- The EMS System encountered a problem. Message: [Microsoft][ODBC SQL Server Driver] Unknown token received from SQL Server.
As of writing this, there has been no available workaround. We expect Microsoft to release a fix in the shape of an OOB or out-of-band update.
Bug fixes or issue fixes in KB5021235 for Windows Server 2016
The following issues have been fixed in KB5021235 for Windows Server 2016:
- This update addresses a known issue that might affect the Local Security Authority Subsystem Service (LSASS.exe). It might leak memory on Windows domain controllers. This issue might occur when you install Windows updates dated November 8, 2022, or later.
- This update addresses the suspension of daylight saving time (DST) in the Republic of Fiji for this year.
Deployment or installation of KB5021235 on Windows Server 2016
KB5021235 can be deployed automatically through one of the following methods:
- WSUS or Windows Server Update Service
- Windows Update
- Windows Update for Business
KB5021235 can be also deployed manually. We have already discussed the offline installer downloads above through the Microsoft Update catalog pages.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.