Cumulative Update 1 (CU1) for SCCM 2012 R2 SP1 and SCCM 2012 SP2 is now available. This post is a complete step-by-step SCCM 2012 R2 SP1 CU1 Installation guide. If you’re looking for a complete SCCM 2012 installation guide, see our blog series which covers it all.
Installing SCCM cumulative updates is very important to your infrastructure. It fix lots of issues, which some of them are important.
As this is the first post-R2 SP1 cumulative update, the important requirement for the installation is that SCCM 2012 R2 SP1 is installed. The latest non-R2 SP1 cumulative update is CU5. Don’t get confused, this CU could have been named CU6 (chronologically wise) but Microsoft has decided to reset the numbering due to the Service Pack release. See our SCCM 2012 versions post to have a clear view of all build numbers.
The major new functionality of CU1 is the Automatic Client Upgrade feature during CU setup wizard. This will facilitate client upgrade when applying further CU.
Latest KB are included and many bugs are fixed in this cumulative update. Follow this Microsoft Support page to see a detailed list.
Before you begin
Installing this update is very similar to prior CU. I’ll guide you through the upgrade process step-by-step in a standalone primary scenario.
- Download the update on the Microsoft Support page
This update can be applied directly to the following Systems/Roles:
- The Central Administration Site (CAS)
- Primary Site
- Secondary Site
- SMS Provider
- Configuration Manager Console
In this guide, we’ll be updating a Primary Site Server, console and clients.
SCCM 2012 R2 SP1 CU1 Installation guide
To start the installation, lauch a remote desktop session on your Primary Site Server, and run CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe
A log file will be created in C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log
- On the Welcome Screen, click Next
- Accept the license agreement, and click Next
- Ensure that everything is green, and click Next. On the screenshot, a restart is required before installing the CU
- Check the box to update the console, click Next
- Select Yes, update the site database, click Next
- This is the new Automatic Client Update addition. Select the behavior that you want
- Choosing the Automatically apply option results in following steps:
- Places the most recent client patch file on the site server
- Updates content on the distribution points for this site and any child sites. Note this only occurs when the cumulative update runs on the Central Administration Site (CAS)
- Updates the client package on the Management Point of the local site; this source is used in the event there are no distribution points available for client installation
- Future client installations using the Client Push method will apply the new patch automatically
- The time frame for updating the client depends on your Automatic Client Upgrade settings
- If you chose the Manually Apply option, you will need to update your client manually as in prior CU (See our Updating the clients section)
- Check all 3 checkbox (Server, Console and Clients), click Next
- Edit the package name and program to your need, click Next
- Review the Summary page, click Install
- Installation is in progress
- You can follow the installation progress in the log file (C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log)
- When setup is complete, click Next and then Finish
After setup is completed, launch the System Center 2012 Configuration Manager Console and verify the build number of the console. If the upgrade was successful, the console build number will be 5.0.8239.1203.
Open registry editor and check the HKLM\Software\Microsoft\SMS\Setup\ key. If the installation succeeded CULevel key value will be 1.
You can also verify both client and console version using PowerShell :
- Server : Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name “CULevel”
- Console : (Get-Item ($env:SMS_ADMIN_UI_PATH.Substring(0,$env:SMS_ADMIN_UI_PATH.Length – 5) + ‘\Microsoft.ConfigurationManagement.exe’)).VersionInfo.FileVersion
The client version will be updated to 5.0.8239.1203 (after updating, see section below)
This update also brings the anti-malware client version to 4.7.0209.0. You can find the version information by clicking About on the Help menu of the Endpoint Protection client UI.
Navigate to Software Library / Packages / Configuration Manager Updates
- You’ll see that your CU1 updates packages are created
- Go ahead and Distribute Content to your distribution points
Updating the Clients
If you select the Automatically Apply option in the installation wizard, your client will update using your time frame settings.
- Open the SCCM Console
- Go to Administration / Site Configuration / Sites
- Click the Hierarchy Settings in the top ribbon
- Select Automatic Client Upgrade tab
- The Upgrade client automatically when the new client update are available checkbox has been enabled
- Review your time frame and adjust it to your needs
If you select the Manually Apply option in the wizard, you will need to update your client manually.
This update contains 2 update packages for client installations. One for 32-bit clients and one for 64-bit clients.
Create two collections for the client upgrade. (If not already done in previous CU)
All-x64-based Clients[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20inner%20join%20SMS_G_System_COMPUTER_SYSTEM%20on%20SMS_G_System_COMPUTER_SYSTEM.ResourceId%20%3D%20SMS_R_System.ResourceId%20where%20SMS_G_System_COMPUTER_SYSTEM.SystemType%20%3D%20%22X64-based%20PC%22″/]
All-x86-based Clients[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20inner%20join%20SMS_G_System_COMPUTER_SYSTEM%20on%20SMS_G_System_COMPUTER_SYSTEM.ResourceId%20%3D%20SMS_R_System.ResourceId%20where%20SMS_G_System_COMPUTER_SYSTEM.SystemType%20%3D%20%22X86-based%20PC%22″/]
Adjust the package options to fit your environments and deploy the update to your clients.
Once deployed I like to create a collection that targets clients without the latest CU. I use it to monitor which client haven’t been updated yet.
Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script)[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20where%20SMS_R_System.ClientVersion%20!%3D%20’5.0.8239.1203′”/]
Happy updating ! 🙂
Actually, Spain is one of the few countries in the world whose national anthem doesn’t have any words! You might remember that no one was singing anything on the Spanish side yesterday.
If I check the don’t upgrade servers will my 300 pull dps upgrade as they are site systems. The server admins don’t want this hitting their servers until they qa it. But I wanna make sure it upgrades the dp site servers. What exactly does the check box for don’t upgrade servers apply to? Is it all servers? Does it include site systems which are running on server os? We have just the primary and then lots of dps. I want them to upgrade the pull dps to the newer version.
The check box for Don’t Upgrade servers is only for the SCCM client, not for site system servers.
Installing CU on a primary server will NOT trigger an update on PullDP or other site server system.
There is no real upgrade for PullDP. You should upgrade the SCCM client on those PullDP servers.
You should also consider CU2 instead of CU1. Here the blog post about it : https://systemcenterdudes.com/step-by-step-sccm-2012-r2-sp1-cu2-installation-guide/
I was wondering if this CU1 Update is supposed to fix the issue with Client Location Services not choosing the correct Management Point despite having the option enabled under the Site Hierarchy Properties which says “Clients Prefer To Use Management Points in Boundary Groups”…etc or something to that effect.
I see in the MS Hotfix Details this update is supposed to address the above issue in “Standalone Primary” environments but nothing that says it would fix the same issue in a Hierarchy Environment.
pita / sinceramente com pode um cara saber que tais organismo tem 34,000 mil anos, sÃ³ espero que esse rapaz nÃ£o apareÃ§a cheio de tentaculos com a manipulaÃ§Ã£o dessas coisas.Gostei deste comentÃ¡rio ou nÃ£o: 2
Hello Mjqian, and anyone else interested:
This is not the Microsoft specific explanation, but it does give background and reasoning why they did this. It’s has to do with the security structure within windows 10.
Start at 10:20 location on video for idea. I’m not advocating this site, nor affiliated with it.
Thanks Benoit for this great post, Here i have some different senario
I have A CAS 2 Primary and 7 Secondry Sites out of which 2 secondry site reporting to one and rest 5 are reporting to other.
How am i suppose to install the cu 1 in my hirerarchy i mean do i rum it in cas update site DB and creates different packages and then distribute those packages to primary and secondry
I ready STGdb question and it seems very similar to our scenario but I wanted to get clarification. We have 1 primary site and we had someone come in to build and upgraded our 2012 our infrastructure to SP1 CU1. Much like STGdb, the version remains at 5.00.8239.1000 but our clients show as 1203. Based on your earlier comments, that seems perfectly normal. We have a single primary site which consists of 2 management points, a fall back management point, a application catalog, and a bunch of distribution points. What I do not get is that you stated the CU1 KB3074857 – Server update is for site servers only (ie just the primary site server), but the vendor pushed the update out to all the site systems collection (ie every sccm server). All the updates are failing, but it seems he incorrectly pushed it in the first place. If you have to manually install it in the first place, why would you ever deploy the server update? Is it just if you have a secondary site? Also, the Microsoft article I ready says it can also be installed on an SMS Provider, but I am not sure what that is or means. Any clarification would be very helpful. Thanks.
The Server Update is used for other Primary sites or site system hosting an SMS Provider. You can see if you have multiple SMS Provider in the console in Administration / Site System. Check the roles of each machine.
Secondary sites are updated using the console.
If you have a simple setup with one Primary Site and 1 SMS Provider, you won’t need to use this update package.
Caitlin and myself have not stopped laughing at ‘away in a manger’ done in a very unique way……it’s officially a first that someone managed to get a lipstick in a Christmas carol, the twirling was magnificent and the chesty cough was the icing on the Christmas cake……have a fantastic Christmas. Love jackie xxx
Are you sure about the anti-malware client version to 4.7.0209.0 ??
My win 7 and 2012r2 machines are at 22.214.171.124 before the update.
Thanks for the Guide.
After CU1 Installation unfortunately I have Problems with SUP – the WSUS Synchronization Fails.
WSUS Synchronization failed.
Message: WSUS server not configured. Please refer to WCM.log for configuration error details..
The operating system reported error 2147500037: Unspecified error
Failed to create assembly name object for Microsoft.UpdateServices.Administration. Error = 0x80131701. SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
Checking runtime v4.0.30319… SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
Found supported assembly Microsoft.UpdateServices.Administration version 126.96.36.199, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
Found supported assembly Microsoft.UpdateServices.BaseApi version 188.8.131.52, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
Supported WSUS version found SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
Attempting connection to WSUS server: SRV99WI017.notariate.ktzh.ch, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. —> System.TypeInitializationException: The type initializer for ‘Microsoft.UpdateServices.Internal.ApiRemoting’ threw an exception. —> System.UnauthorizedAccessException: Access to the path ‘Update Services’ is denied.~ at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)~ at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)~ at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)~ at Microsoft.UpdateServices.Log.GetUsableLogFileName(String fileName, LogFileLocation& actualLogLocation)~ at Microsoft.UpdateServices.Log.InitializeFromConfig()~ at Microsoft.UpdateServices.Log.InitializeIfNeeded()~ at Microsoft.UpdateServices.Internal.ApiRemoting..cctor()~ — End of inner exception stack trace —~ at Microsoft.UpdateServices.Internal.ApiRemoting..ctor()~ — End of inner exception stack trace —~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
Remote configuration failed on WSUS Server. SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
Are you using a proxy or custom ports for WSUS ?
Yes, we’re using a Proxy for synchronizing software updates and downloading Content and custom ports 8530/8531 to contact WSUS.
There was a problem with the Connection String to the external SQL Server inside the WSUS Config. Now everything is working fine again.
We had a similar issue with the Sync failing. It turned out that the problem was related to Shavlik Patch. We went to the catalog and uncheck the 3rd party patches we had selected for Shavlik Patch and the Sync started working again.
Do you know if the Shavlik issue has been resolved?
Can I upgrade the client from R2CU5 directly to R2SP1CU1?
Can I install CU1 immediately after SP1? Reboot necessary? Any amount of time or process I need to wait for before proceeding with the CU install?
You can install CU1 as soon as the SP1 installation is complete. If you are in a hierarchy, be sure that replication is complete.
Thanks for the GREAT article, it helps me to verify our own install.
We are running SCCM 2012 R2 SP1 CU1. Our console and clients are updated and running 5.00.8239.1203 but the site version remains at 5.00.8239.1000 (even thought we told it to update everything during the CU1 install). We only have the one site server but I am wondering if we need to deploy the CU1 server update package (CU1 KB3074857 – server update) that the CU1 update installed onto our site? I didn’t see that step mentioned in the article so I don’t know if the SCCM 2012 R2 SP1 CU1 site version should remain at 1000 or whether it should also change to 1203?
Site version only update to major version (RTM,SP1,SP2), Cumulative Update doesn’t reflet on the site version. If you applied CU1 on your site server you don’t need to apply the package. The package is created for other site servers which you don’t have.
As we still have mixed environment of 2007 & 2012. Will this new “Automatic Client Upgrade” ONLY upgrade those 2012 clients or 2007 clients?
I guess it should work but haven’t test that scenario.
thanks a lot for sharing your experiences, perfect guides for updating the SCCM environment.
At the moment we are planing to update our environment from version SCCM 2012 R2 CU to SP1 CU1. Now i have a question.
If i’m right we have to do the update in two steps because of the server replication delay time (first SP1 and a few days later CU1). It would be interesting to know if we have to update the clients only once or do we have to rollout the SP1 client update first? Is it possible to do the step from R2 CU4 to R2 SP1 CU1 directly?
You can update your client directly to SP1 CU1.
Hi Mr. Lecours
Thanks for your pretty helpful post.
i have installed cu1 and successfully complete (fires primary site and then secondary site). but client version on my ConfigMgr server (Primary and Secondary Sites) still is 5.00.8239.1000
what shall i do?
This update seemed to break HTTPS communication for me. I have my SCCM environment working on PKI infrastructure and after installing this update, WSUS and IIS seem to be broken and complaining about Ports not communicating over HTTP.
I have the same problem after update.
I have error “Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error” in mpcontrol.log
I try run iisreset and register asp.net but I have no luck.
Hi Michael & Oleg
Did either of you manage to fix your issues with HTTPS?
We haven’t applied the update yet, and use HTTPS for MP comms…
Just try to reinstall SCCM Client on site server (i do it over push).
I don’t now how, but it’s resolve my issue with HTTPS 500 MP error.
Thanks four your guide.
Sorry for my english : it’s very poor.
Well, i have an infrastructure TEST. It’s an environnelent cloud installed by my collegues.
I have one server primary sccl 2012 R2 with 2 servers only with a role DP.
yesterday i have upgraded to SP1 without problem. But now, i have 1 problem : new package named “config manager client” (size 180 mo) doesn’t copy on DP. WHY ?
What do i do on servers DP ?
Can you help me ?
Thanks in advance
Regardez les logs de distribution afin de savoir ce qui ne fonctionne pas. Les DP n’ont pas besoin d’être mis à jour à SP1 mais leur client respectif oui.
Great post, thanks. Also, is it correct that the Site version and the Admin Console version numbers should not match?
Great post! I was also wondering why Site Version isn’t updated from SP1… it says it does.. probably do but not visible?
Thanks ! Sorry but I don’t understand your question
Yes, Console will shows CU version but the site version is updated only on major release. (RTM, R2, SP1)
Hi Benoit, and thanks for this great step by step documentation.
We have just done the upgrade in SP1 CU1, and some question stay :
Is it normal that site version stay in 5.00.8239.1000 (I think so, it’s the same on your picture) ?
And what about the MP server client version (which is 5.00.8239.1000 too) ?
I’ve just the same problem ;/
Thanks for this goot documentation step by step
Just a question about the console after the installation of the CU
Is it possible to create a device collection to check the installed Console (r2 sp1) CU1 ?
i don’t found any information in the registry to check the version 5.0.823.1203
Thanks for the write up. It looks very good. Since there are no updates that impact the imaging process do you still recommend updating provisioning Task Sequences to include the new client? I haven’t dug into the client package yet, but I assume that this is a MSP patch that goes to the SCCM 2012 R2 SP1 client? If so, that means we would need to use the same existing methods to install a PATCH during installation of the SCCM client during OSD.
James, I was wondering how you added the update to your OSD task sequences as well? I didn’t see a reply and was hoping someone could chime in with their suggestion as I’m struggling to come up with the best solution.
What other servers than the primary site server should we deploy the server update to? Do site systems need the update?
As stated in the article :
This update can be applied directly to the following Systems/Roles:
The Central Administration Site (CAS)
Configuration Manager Console
Site systems (DP,RP,SUP…) if located on separate server doesn’t need to be updated.
Hí Benoit Lecours,
Thanks for sharing his knowledge.
Pingback: Step-by-Step SCCM 2012 R2 SP1 CU1 Installation guide | MS Tech BLOG
Did you try to install console update silently? Everytime I get an error (1603) and “An installation package for the product System Center Configuration Manager Console cannot be found. Try the installation again using a valid copy of the installation package ‘adminconsole.msi’.”
but if I use commandline “msiexec.exe /p \\sccm\SMS_ASD\hotfix\KB3074857\AdminConsole\i386\configmgr2012adminui-sp2r2sp1-kb3074857-i386.msp /L*v c:\configmgr2012adminui-sp2r2sp1-kb3074857-i386.msp.LOG REINSTALLMODE=mous REINSTALL=ALL” everything is OK.
The same thing with a new console update from KB3081699. Same error.
This could be a permission error. When you launch the installation using SCCM, it runs with the SYSTEM account.
Check if the SYSTEM account has rights on \\sccm\SMS_ASD\hotfix\KB3074857\AdminConsole\i386\configmgr2012adminui-sp2r2sp1-kb3074857-i386.msp
You can also test this manually by launching a command prompt using the SYSTEM account (using psexec -i -s)
Is it possible to select the option to manually/automatically apply the CU across the environment outside of the install?
Go to Administration / Site Configuration / Sites
Click the Hierarchy Settings in the top ribbon
Select Automatic Client Upgrade tab
Enable the “Upgrade client automatically when the new client update are available” checkbox
Done ! 🙂
I upgraded to CU1 and during the installation I didn’t get the option for automatic /manual upgrade, not sure why. Our lab is stand alone primary site server. Can someone assist on why. After upgrade is complete, in Hierarchy settings the option to Enable the automatic client push is greyed out. All registry key seems to be updated correct as expected.
First time I heard something like this. Have you look the CU1 installation log located in C:\Windows\Temp ?
I am not able to open the log ConfigMgrUpdateSetup.log. It crashes whenever I open, even in notepad it displays as ASCII.
Hum… never seen that one
Check out the first ‘Important’ box here https://technet.microsoft.com/en-us/library/Hh508770.aspx?f=255&MSPPError=-2147217396
“If you manage endpoint protection for Windows 10 Technical Preview computers, then you must configure System Center 2012 Configuration Manager to update and distribute malware definitions for Windows Defender. Because Windows Defender is included in Windows 10, an endpoint protection agent does not need to be deployed to client computers.”
Hi Aaron and QMJ,
We’ll make a blog post dedicated to Endpoint Protection this week. Stay tuned 😉
Hi Benoit 🙂 Hope you are doing well. Have you noticed that Microsoft removed endpoint protection on WIN10 and use Windows defender ONLY. There is no KB and blog mentioned this change.