KB5073696 is the ESU Monthly Rollup Update for Windows Server 2012 R2. It was released on 13 January 2026 under the ‘Patch Tuesday’ program.
Salient points
- KB5073696 supersedes KB5071503 released in December 2025.
- KB5073696 includes all the changes that are included in the OOB update KB5074978 released on 18 December 2025 for Windows Server 2012 R2.
- KB5073696 requires a Servicing Stack Update to be installed prior to installing the main monthly rollup update. KB5068783 is the SSU corresponding to KB5073696. This SSU was released in November 2025. If you applied the November security update or December security update on Windows Server 2012 R2, the SSU or Servicing Stack Update would be already there on the server.
- If you install language pack after installing KB5073696, you would need to reinstall the security update once again. All language pack installations must be completed before installing the monthly rollup update on Windows Server 2012 R2.
- KB507696 is an Extended Security Update. A valid subscription key to the ESU program is required before installing the monthly rollup update.
- Windows Server 2012 R2 is impacted by 35 security vulnerabilities reported in January 2026 security bulletin.
- Three zero-day vulnerabilities affect Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation.
- Meanwhile, the last cumulative update for Internet Explorer on Windows Server 2012 R2 was last released in October 2025 (KB5066840)
Servicing Stack Update KB5068783
The Servicing Stack Update for Windows Server 2012 R2 for November, December and January is KB5058783. It corresponds to KB5068905 ESU, KB5071503, and KB5073696 ESU.
For automated deployments of KB5073696 through the Windows Update program, the Servicing Stack Update KB5068783 is offered for installation as part of the installation process of the monthly rollup update KB5073696. No further action is needed to install KB5068783 for automated installations of KB5073696.
WSUS administrators need to authorize or approve KB5068783 before KB5073696 is fetched and installed in WSUS.
If you choose to deploy KB5073696 manually, you need to download and install KB5068783 on the Windows Server 2012 R2.
The Servicing Stack Update file is a small file of 10.6 MB. Upon installation, it would not cause server reboot. Once the SSU is installed, you can proceed with the installation of the main monthly rollup update KB5073696.
Download KB5073696
You can download the monthly rollup update KB5073696 for Windows Server 2012 R2 from the Windows Update Catalog page shared below:
We would reiterate that you need a valid ESU program subscription before you could install the ESU KB5073696 on Windows Server 2012 R2.
Zero-day Vulnerabilities
Three zero-day vulnerability affects Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation, as per the latest security reported released by Microsoft.
The zero-day vulnerabilities are shared below:
| CVE Details | CVSS Score | Comments |
|---|---|---|
| CVE-2023-31096 | 7.8 | Elevation of Privilege Vulnerability in Windows Agere Soft Modem Driver |
| CVE-2026-21265 | 6.4 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
| CVE-2026-20805 | 5.5 | Desktop Window Manager Information Disclosure Vulnerability |
KB5071503 – Changelog
Since this is an ESU, the focus remains on securing the Windows Server 2012 R2 deployments. The following changes have been reported for KB5071503:
- [Internal Windows OS] Miscellaneous security improvements were made to internal Windows OS functionality.
- [Windows Deployment Services (WDS)] This update introduces a change in behavior in which WDS will stop supporting hands-free deployment functionality by default. Admins should review guidance and follow instructions provided in Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance.
- [Drivers] This update removes the following modem drivers: agrsm64.sys (x64), agrsm.sys (x86), smserl64.sys (x64) and smserial.sys (x86). Modem hardware dependent on these specific drivers will no longer work in Windows.
- [WinSqlite3.dll] Fixed: The Windows core component, WinSqlite3.dll, has been updated. Previously, some security software might have detected this component as vulnerable.
Internet Explorer Cumulative Update – KB5066840
To secure the Windows Server 2012 R2, you also need to patch Internet Explorer 11 with the latest cumulative update. KB5066840 is the cumulative update for Internet Explorer released on 14 October 2025. No new IE update has been released in November or December 2025.
You can download the IE Cumulative Update for Windows Server 2012 R2 from the link shared below:
Download Cumulative Update for Internet Explorer – KB5066840 (54.9 MB)
Simplifying technology, one step at a time.