Step-by-Step SCCM 2012 R2 SP1 CU1 Installation Guide

Benoit LecoursSCCM60 Comments

Cumulative Update 1 (CU1) for SCCM 2012 R2 SP1 and SCCM 2012 SP2 is now available. This post is a complete step-by-step SCCM 2012 R2 SP1 CU1 Installation guide. If you’re looking for a complete SCCM 2012 installation guide, see our blog series which covers it all.

Installing SCCM cumulative updates is very important to your infrastructure. It fix lots of issues, which some of them are important.

As this is the first post-R2 SP1 cumulative update, the important requirement for the installation is that SCCM 2012 R2 SP1 is installed. The latest non-R2 SP1 cumulative update is CU5. Don’t get confused, this CU could have been named CU6 (chronologically wise) but Microsoft has decided to reset the numbering due to the Service Pack release. See our SCCM 2012 versions post to have a clear view of all build numbers.


The major new functionality of CU1 is the Automatic Client Upgrade feature during CU setup wizard. This will facilitate client upgrade when applying further CU.

Latest KB are included and many bugs are fixed in this cumulative update. Follow this Microsoft Support page to see a detailed list.

Before you begin

Installing this update is very similar to prior CU. I’ll guide you through the upgrade process step-by-step in a standalone primary scenario.

This update can be applied directly to the following Systems/Roles:

  • The Central Administration Site (CAS)
  • Primary Site
  • Secondary Site
  • SMS Provider
  • Configuration Manager Console

In this guide, we’ll be updating a Primary Site Server, console and clients.

SCCM 2012 R2 SP1 CU1 Installation guide

To start the installation, lauch a remote desktop session on your Primary Site Server, and run CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe

A log file will be created in C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log

  • On the Welcome Screen, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Accept the license agreement, and click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Ensure that everything is green, and click Next. On the screenshot, a restart is required before installing the CU

SCCM 2012 R2 SP1 CU1 Installation guide

  • Check the box to update the console, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Select Yes, update the site database, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • This is the new Automatic Client Update addition. Select the behavior that you want
  • Choosing the Automatically apply option results in following steps:
    • Places the most recent client patch file on the site server
    • Updates content on the distribution points for this site and any child sites. Note this only occurs when the cumulative update runs on the Central Administration Site (CAS)
    • Updates the client package on the Management Point of the local site; this source is used in the event there are no distribution points available for client installation
    • Future client installations using the Client Push method will apply the new patch automatically
    • The time frame for updating the client depends on your Automatic Client Upgrade settings
  • If you chose the Manually Apply option, you will need to update your client manually as in prior CU (See our Updating the clients section)

SCCM 2012 R2 SP1 CU1 Installation guide

  • Check all 3 checkbox (Server, Console and Clients), click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Edit the package name and program to your need, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

SCCM 2012 R2 SP1 CU1 Installation guide

  • Review the Summary page, click Install

SCCM 2012 R2 SP1 CU1 Installation guide

  • Installation is in progress

SCCM 2012 R2 SP1 CU1 Installation guide

  • You can follow the installation progress in the log file (C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log)

SCCM 2012 R2 SP1 CU1 Installation guide

  • When setup is complete, click Next and then Finish

SCCM 2012 R2 SP1 CU1 Installation guide



After setup is completed, launch the System Center 2012 Configuration Manager Console and verify the build number of the console. If the upgrade was successful, the console build number will be 5.0.8239.1203.

SCCM 2012 R2 SP1 CU1 Installation guide


Open registry editor and check the HKLM\Software\Microsoft\SMS\Setup\ key. If the installation succeeded CULevel key value will be 1.

SCCM 2012 R2 SP1 CU1 Installation guide

You can also verify both client and console version using PowerShell :

  • Server : Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name “CULevel”
  • Console : (Get-Item ($env:SMS_ADMIN_UI_PATH.Substring(0,$env:SMS_ADMIN_UI_PATH.Length – 5) + ‘\Microsoft.ConfigurationManagement.exe’)).VersionInfo.FileVersion

SCCM 2012 R2 SP1 CU1 Installation guide


The client version will be updated to 5.0.8239.1203 (after updating, see section below)

SCCM 2012 R2 SP1 CU1 Installation guide

This update also brings the anti-malware client version to 4.7.0209.0. You can find the version information by clicking About on the Help menu of the Endpoint Protection client UI.

Package distribution

Navigate to Software Library / Packages / Configuration Manager Updates

  • You’ll see that your CU1 updates packages are created

SCCM 2012 R2 SP1 CU1 Installation guide

  • Go ahead and Distribute Content to your distribution points

SCCM 2012 R2 SP1 CU1 Installation guide

Updating the Clients

If you select the Automatically Apply option in the installation wizard, your client will update using your time frame settings.

  • Open the SCCM Console
  • Go to Administration / Site Configuration / Sites
  • Click the Hierarchy Settings in the top ribbon
  • Select Automatic Client Upgrade tab
  • The Upgrade client automatically when the new client update are available checkbox has been enabled
  • Review your time frame and adjust it to your needs

SCCM 2012 R2 SP1 CU1 Installation guide

If you select the Manually Apply option in the wizard, you will need to update your client manually.

This update contains 2 update packages for client installations. One for 32-bit clients and one for 64-bit clients.

Create two collections for the client upgrade. (If not already done in previous CU)

All-x64-based Clients

[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20inner%20join%20SMS_G_System_COMPUTER_SYSTEM%20on%20SMS_G_System_COMPUTER_SYSTEM.ResourceId%20%3D%20SMS_R_System.ResourceId%20where%20SMS_G_System_COMPUTER_SYSTEM.SystemType%20%3D%20%22X64-based%20PC%22″/]

All-x86-based Clients

[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20inner%20join%20SMS_G_System_COMPUTER_SYSTEM%20on%20SMS_G_System_COMPUTER_SYSTEM.ResourceId%20%3D%20SMS_R_System.ResourceId%20where%20SMS_G_System_COMPUTER_SYSTEM.SystemType%20%3D%20%22X86-based%20PC%22″/]

Adjust the package options to fit your environments and deploy the update to your clients.

Once deployed I like to create a collection that targets clients without the latest CU. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script)

[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20where%20SMS_R_System.ClientVersion%20!%3D%20’5.0.8239.1203′”/]

Happy updating ! 🙂

60 Comments on “Step-by-Step SCCM 2012 R2 SP1 CU1 Installation Guide”

  1. If I check the don’t upgrade servers will my 300 pull dps upgrade as they are site systems. The server admins don’t want this hitting their servers until they qa it. But I wanna make sure it upgrades the dp site servers. What exactly does the check box for don’t upgrade servers apply to? Is it all servers? Does it include site systems which are running on server os? We have just the primary and then lots of dps. I want them to upgrade the pull dps to the newer version.

    1. Hi Sam,

      The check box for Don’t Upgrade servers is only for the SCCM client, not for site system servers.
      Installing CU on a primary server will NOT trigger an update on PullDP or other site server system.

      There is no real upgrade for PullDP. You should upgrade the SCCM client on those PullDP servers.

      You should also consider CU2 instead of CU1. Here the blog post about it :


  2. Hello,

    I was wondering if this CU1 Update is supposed to fix the issue with Client Location Services not choosing the correct Management Point despite having the option enabled under the Site Hierarchy Properties which says “Clients Prefer To Use Management Points in Boundary Groups”…etc or something to that effect.

    I see in the MS Hotfix Details this update is supposed to address the above issue in “Standalone Primary” environments but nothing that says it would fix the same issue in a Hierarchy Environment.


  3. Hello Mjqian, and anyone else interested:

    This is not the Microsoft specific explanation, but it does give background and reasoning why they did this. It’s has to do with the security structure within windows 10.

    Start at 10:20 location on video for idea. I’m not advocating this site, nor affiliated with it.

  4. Thanks Benoit for this great post, Here i have some different senario
    I have A CAS 2 Primary and 7 Secondry Sites out of which 2 secondry site reporting to one and rest 5 are reporting to other.
    How am i suppose to install the cu 1 in my hirerarchy i mean do i rum it in cas update site DB and creates different packages and then distribute those packages to primary and secondry

  5. Benoit,

    I ready STGdb question and it seems very similar to our scenario but I wanted to get clarification. We have 1 primary site and we had someone come in to build and upgraded our 2012 our infrastructure to SP1 CU1. Much like STGdb, the version remains at 5.00.8239.1000 but our clients show as 1203. Based on your earlier comments, that seems perfectly normal. We have a single primary site which consists of 2 management points, a fall back management point, a application catalog, and a bunch of distribution points. What I do not get is that you stated the CU1 KB3074857 – Server update is for site servers only (ie just the primary site server), but the vendor pushed the update out to all the site systems collection (ie every sccm server). All the updates are failing, but it seems he incorrectly pushed it in the first place. If you have to manually install it in the first place, why would you ever deploy the server update? Is it just if you have a secondary site? Also, the Microsoft article I ready says it can also be installed on an SMS Provider, but I am not sure what that is or means. Any clarification would be very helpful. Thanks.

    1. Hi Daemon,

      The Server Update is used for other Primary sites or site system hosting an SMS Provider. You can see if you have multiple SMS Provider in the console in Administration / Site System. Check the roles of each machine.

      Secondary sites are updated using the console.

      If you have a simple setup with one Primary Site and 1 SMS Provider, you won’t need to use this update package.

      1. Caitlin and myself have not stopped laughing at ‘away in a manger’ done in a very unique way……it’s officially a first that someone managed to get a lipstick in a Christmas carol, the twirling was magnificent and the chesty cough was the icing on the Christmas cake……have a fantastic Christmas. Love jackie xxx

  6. Thanks for the Guide.
    After CU1 Installation unfortunately I have Problems with SUP – the WSUS Synchronization Fails.

    WSUS Synchronization failed.
    Message: WSUS server not configured. Please refer to WCM.log for configuration error details..
    Source: CWSyncMgr::DoSync.
    The operating system reported error 2147500037: Unspecified error

    Failed to create assembly name object for Microsoft.UpdateServices.Administration. Error = 0x80131701. SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
    Checking runtime v4.0.30319… SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
    Found supported assembly Microsoft.UpdateServices.Administration version, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
    Found supported assembly Microsoft.UpdateServices.BaseApi version, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
    Supported WSUS version found SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
    Attempting connection to WSUS server:, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
    System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. —> System.TypeInitializationException: The type initializer for ‘Microsoft.UpdateServices.Internal.ApiRemoting’ threw an exception. —> System.UnauthorizedAccessException: Access to the path ‘Update Services’ is denied.~ at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)~ at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)~ at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)~ at Microsoft.UpdateServices.Log.GetUsableLogFileName(String fileName, LogFileLocation& actualLogLocation)~ at Microsoft.UpdateServices.Log.InitializeFromConfig()~ at Microsoft.UpdateServices.Log.InitializeIfNeeded()~ at Microsoft.UpdateServices.Internal.ApiRemoting..cctor()~ — End of inner exception stack trace —~ at Microsoft.UpdateServices.Internal.ApiRemoting..ctor()~ — End of inner exception stack trace —~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)
    Remote configuration failed on WSUS Server. SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)

        1. There was a problem with the Connection String to the external SQL Server inside the WSUS Config. Now everything is working fine again.
          Cheers Sam

    1. We had a similar issue with the Sync failing. It turned out that the problem was related to Shavlik Patch. We went to the catalog and uncheck the 3rd party patches we had selected for Shavlik Patch and the Sync started working again.

  7. Can I install CU1 immediately after SP1? Reboot necessary? Any amount of time or process I need to wait for before proceeding with the CU install?

    1. You can install CU1 as soon as the SP1 installation is complete. If you are in a hierarchy, be sure that replication is complete.

  8. Thanks for the GREAT article, it helps me to verify our own install.

    We are running SCCM 2012 R2 SP1 CU1. Our console and clients are updated and running 5.00.8239.1203 but the site version remains at 5.00.8239.1000 (even thought we told it to update everything during the CU1 install). We only have the one site server but I am wondering if we need to deploy the CU1 server update package (CU1 KB3074857 – server update) that the CU1 update installed onto our site? I didn’t see that step mentioned in the article so I don’t know if the SCCM 2012 R2 SP1 CU1 site version should remain at 1000 or whether it should also change to 1203?

    Thanks again!!

    1. Site version only update to major version (RTM,SP1,SP2), Cumulative Update doesn’t reflet on the site version. If you applied CU1 on your site server you don’t need to apply the package. The package is created for other site servers which you don’t have.

  9. Hi,
    As we still have mixed environment of 2007 & 2012. Will this new “Automatic Client Upgrade” ONLY upgrade those 2012 clients or 2007 clients?

  10. Hi Benoit,

    thanks a lot for sharing your experiences, perfect guides for updating the SCCM environment.
    At the moment we are planing to update our environment from version SCCM 2012 R2 CU to SP1 CU1. Now i have a question.

    If i’m right we have to do the update in two steps because of the server replication delay time (first SP1 and a few days later CU1). It would be interesting to know if we have to update the clients only once or do we have to rollout the SP1 client update first? Is it possible to do the step from R2 CU4 to R2 SP1 CU1 directly?


  11. Hi Mr. Lecours

    Thanks for your pretty helpful post.
    i have installed cu1 and successfully complete (fires primary site and then secondary site). but client version on my ConfigMgr server (Primary and Secondary Sites) still is 5.00.8239.1000
    what shall i do?

  12. This update seemed to break HTTPS communication for me. I have my SCCM environment working on PKI infrastructure and after installing this update, WSUS and IIS seem to be broken and complaining about Ports not communicating over HTTP.

    Any suggestions?

    1. I have the same problem after update.
      I have error “Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error” in mpcontrol.log
      I try run iisreset and register but I have no luck.

      1. Hi Michael & Oleg

        Did either of you manage to fix your issues with HTTPS?

        We haven’t applied the update yet, and use HTTPS for MP comms…

        1. Just try to reinstall SCCM Client on site server (i do it over push).
          I don’t now how, but it’s resolve my issue with HTTPS 500 MP error.

  13. Hi
    Thanks four your guide.
    Sorry for my english : it’s very poor.
    Well, i have an infrastructure TEST. It’s an environnelent cloud installed by my collegues.
    I have one server primary sccl 2012 R2 with 2 servers only with a role DP.
    yesterday i have upgraded to SP1 without problem. But now, i have 1 problem : new package named “config manager client” (size 180 mo) doesn’t copy on DP. WHY ?
    What do i do on servers DP ?
    Can you help me ?
    Thanks in advance

    1. Regardez les logs de distribution afin de savoir ce qui ne fonctionne pas. Les DP n’ont pas besoin d’être mis à jour à SP1 mais leur client respectif oui.

  14. Hi Benoit, and thanks for this great step by step documentation.
    We have just done the upgrade in SP1 CU1, and some question stay :
    Is it normal that site version stay in 5.00.8239.1000 (I think so, it’s the same on your picture) ?
    And what about the MP server client version (which is 5.00.8239.1000 too) ?

  15. Thanks for this goot documentation step by step
    Just a question about the console after the installation of the CU
    Is it possible to create a device collection to check the installed Console (r2 sp1) CU1 ?
    i don’t found any information in the registry to check the version 5.0.823.1203
    Many Thanks

  16. Thanks for the write up. It looks very good. Since there are no updates that impact the imaging process do you still recommend updating provisioning Task Sequences to include the new client? I haven’t dug into the client package yet, but I assume that this is a MSP patch that goes to the SCCM 2012 R2 SP1 client? If so, that means we would need to use the same existing methods to install a PATCH during installation of the SCCM client during OSD.

    1. James, I was wondering how you added the update to your OSD task sequences as well? I didn’t see a reply and was hoping someone could chime in with their suggestion as I’m struggling to come up with the best solution.

  17. What other servers than the primary site server should we deploy the server update to? Do site systems need the update?

    1. As stated in the article :

      This update can be applied directly to the following Systems/Roles:

      The Central Administration Site (CAS)
      Primary Site
      Secondary Site
      SMS Provider
      Configuration Manager Console

      Site systems (DP,RP,SUP…) if located on separate server doesn’t need to be updated.

  18. Pingback: Step-by-Step SCCM 2012 R2 SP1 CU1 Installation guide | MS Tech BLOG

  19. Did you try to install console update silently? Everytime I get an error (1603) and “An installation package for the product System Center Configuration Manager Console cannot be found. Try the installation again using a valid copy of the installation package ‘adminconsole.msi’.”
    but if I use commandline “msiexec.exe /p \\sccm\SMS_ASD\hotfix\KB3074857\AdminConsole\i386\configmgr2012adminui-sp2r2sp1-kb3074857-i386.msp /L*v c:\configmgr2012adminui-sp2r2sp1-kb3074857-i386.msp.LOG REINSTALLMODE=mous REINSTALL=ALL” everything is OK.
    The same thing with a new console update from KB3081699. Same error.

    1. This could be a permission error. When you launch the installation using SCCM, it runs with the SYSTEM account.

      Check if the SYSTEM account has rights on \\sccm\SMS_ASD\hotfix\KB3074857\AdminConsole\i386\configmgr2012adminui-sp2r2sp1-kb3074857-i386.msp

      You can also test this manually by launching a command prompt using the SYSTEM account (using psexec -i -s)

    1. Sure,
      Go to Administration / Site Configuration / Sites
      Click the Hierarchy Settings in the top ribbon
      Select Automatic Client Upgrade tab
      Enable the “Upgrade client automatically when the new client update are available” checkbox

      Done ! 🙂

      1. I upgraded to CU1 and during the installation I didn’t get the option for automatic /manual upgrade, not sure why. Our lab is stand alone primary site server. Can someone assist on why. After upgrade is complete, in Hierarchy settings the option to Enable the automatic client push is greyed out. All registry key seems to be updated correct as expected.

          1. I am not able to open the log ConfigMgrUpdateSetup.log. It crashes whenever I open, even in notepad it displays as ASCII.

  20. Check out the first ‘Important’ box here

    “If you manage endpoint protection for Windows 10 Technical Preview computers, then you must configure System Center 2012 Configuration Manager to update and distribute malware definitions for Windows Defender. Because Windows Defender is included in Windows 10, an endpoint protection agent does not need to be deployed to client computers.”

  21. Hi Benoit 🙂 Hope you are doing well. Have you noticed that Microsoft removed endpoint protection on WIN10 and use Windows defender ONLY. There is no KB and blog mentioned this change.

Leave a Reply