KB5073698 ESU for Windows Server 2012

KB5073698 is the ESU Monthly Rollup Update for Windows Server 2012. It was released on 13 January 2026 under the ‘Patch Tuesday’ program.

Salient points

• KB5073698 supersedes KB5071505 released in December 2025.
• KB5073698 includes all changes that are part of the out of band update KB5074980 released on 18 December 2025.
• KB5073698 requires the KB5071813 Servicing Stack Update to be installed prior to installing the main monthly rollup update.
• Without the installation of KB5071813, the ESU KB5073698 cannot be installed. For WSUS administrators, KB5071813 needs to be approved before KB5073698 will be fetched and deployed automatically.
• If you install language pack after installing KB5073698, you would need to reinstall the security update. All language pack installations must be completed before installing the monthly rollup update on Windows Server 2012.
• KB5073698 is an Extended Security Update. A valid subscription key to the ESU program is required before installing the monthly rollup update.
• Windows Server 2012 is impacted by 34 security vulnerabilities reported in Jan 2026 security bulletin.
• Three zero-day vulnerabilities have been disclosed for Windows Server 2012 and Windows Server 2012 Server Core installation in January security bulletin.
• The latest cumulative update for Internet Explorer 11 on Windows Server 2012 continues to be KB5066840 released in October 2025. So, new update for Internet Explorer is not needed in January 2026.

Servicing Stack Update KB5071813

The Servicing Stack Update for Windows Server 2012 for Jan 2026 is KB5071813. It corresponds to KB5073698 ESU.

For automated deployments of KB5073698 through the Windows Update program, the Servicing Stack Update KB5071813 is offered for installation as part of the installation process of the monthly rollup update KB5073698.

• Download KB5071813 from the Microsoft Update Catalog page – 10.1 MB

The Servicing Stack Update file is a small file around 10 MB size Upon installation, it would not cause server reboot.

Once the SSU is installed, you can proceed with the installation of the main monthly rollup update KB5073698.

Download KB5073698

You can download the monthly rollup update KB5073698 for Windows Server 2012 from the Windows Update Catalog page shared below:

• Download KB5073698 from the Microsoft Update Catalog page (453.4 MB)

We would reiterate that you need a valid ESU program subscription before you could install the ESU KB5073698 on Windows Server 2012.

Zero-day Vulnerabilities

Three new zero-day security vulnerability has been reported for Windows Server 2012 and Windows Server 2012 Server Core installation in December month’s security bulletin released by Microsoft on 13 Jan 2026.

CVE Details	CVSS Score	Comments
CVE-2023-31096	7.8	Elevation of Privilege Vulnerability in Windows Agere Soft Modem Driver
CVE-2026-21265	6.4	Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
CVE-2026-20805	5.5	Desktop Window Manager Information Disclosure Vulnerability

Internet Explorer Cumulative Update – KB5066840

To secure the Windows Server 2012, you also need to patch Internet Explorer 11 with the latest cumulative update. KB5066840 is the cumulative update for Internet Explorer released on 14 October 2025. No new security update for Internet Explorer 11 was released in November 2025.

You can download the IE Cumulative Update for Windows Server 2012 from the link shared below:

Download Cumulative Update for Internet Explorer – KB5066840 (54.9 MB)

KB5073698 – Changelog

Since this is an ESU, the focus remains on securing the Windows Server 2012 deployments. The following changes have been reported for KB5073698:

• [Internal Windows OS] Miscellaneous security improvements were made to internal Windows OS functionality.
• [Windows Deployment Services (WDS)] This update introduces a change in behavior in which WDS will stop supporting hands-free deployment functionality by default. Admins should review guidance and follow instructions provided in Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance.
• [Drivers] This update removes the following modem drivers: agrsm64.sys (x64), agrsm.sys (x86), smserl64.sys (x64) and smserial.sys (x86). Modem hardware dependent on these specific drivers will no longer work in Windows.
• [WinSqlite3.dll] Fixed: The Windows core component, WinSqlite3.dll, has been updated. Previously, some security software might have detected this component as vulnerable.