Cumulative Update 1 (CU1) for SCCM 2012 R2 SP1 and SCCM 2012 SP2 is now available. This post is a complete step-by-step SCCM 2012 R2 SP1 CU1 Installation guide. If you’re looking for a complete SCCM 2012 installation guide, see our blog series which covers it all.

Installing SCCM cumulative updates is very important to your infrastructure. It fix lots of issues, which some of them are important.

As this is the first post-R2 SP1 cumulative update, the important requirement for the installation is that SCCM 2012 R2 SP1 is installed. The latest non-R2 SP1 cumulative update is CU5. Don’t get confused, this CU could have been named CU6 (chronologically wise) but Microsoft has decided to reset the numbering due to the Service Pack release. See our SCCM 2012 versions post to have a clear view of all build numbers.


The major new functionality of CU1 is the Automatic Client Upgrade feature during CU setup wizard. This will facilitate client upgrade when applying further CU.

Latest KB are included and many bugs are fixed in this cumulative update. Follow this Microsoft Support page to see a detailed list.

Before you begin

Installing this update is very similar to prior CU. I’ll guide you through the upgrade process step-by-step in a standalone primary scenario.

This update can be applied directly to the following Systems/Roles:

  • The Central Administration Site (CAS)
  • Primary Site
  • Secondary Site
  • SMS Provider
  • Configuration Manager Console

In this guide, we’ll be updating a Primary Site Server, console and clients.

SCCM 2012 R2 SP1 CU1 Installation guide

To start the installation, lauch a remote desktop session on your Primary Site Server, and run CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe

A log file will be created in C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log

  • On the Welcome Screen, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Accept the license agreement, and click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Ensure that everything is green, and click Next. On the screenshot, a restart is required before installing the CU

SCCM 2012 R2 SP1 CU1 Installation guide

  • Check the box to update the console, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Select Yes, update the site database, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • This is the new Automatic Client Update addition. Select the behavior that you want
  • Choosing the Automatically apply option results in following steps:
    • Places the most recent client patch file on the site server
    • Updates content on the distribution points for this site and any child sites. Note this only occurs when the cumulative update runs on the Central Administration Site (CAS)
    • Updates the client package on the Management Point of the local site; this source is used in the event there are no distribution points available for client installation
    • Future client installations using the Client Push method will apply the new patch automatically
    • The time frame for updating the client depends on your Automatic Client Upgrade settings
  • If you chose the Manually Apply option, you will need to update your client manually as in prior CU (See our Updating the clients section)

SCCM 2012 R2 SP1 CU1 Installation guide

  • Check all 3 checkbox (Server, Console and Clients), click Next

SCCM 2012 R2 SP1 CU1 Installation guide

  • Edit the package name and program to your need, click Next

SCCM 2012 R2 SP1 CU1 Installation guide

SCCM 2012 R2 SP1 CU1 Installation guide

  • Review the Summary page, click Install

SCCM 2012 R2 SP1 CU1 Installation guide

  • Installation is in progress

SCCM 2012 R2 SP1 CU1 Installation guide

  • You can follow the installation progress in the log file (C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log)

SCCM 2012 R2 SP1 CU1 Installation guide

  • When setup is complete, click Next and then Finish

SCCM 2012 R2 SP1 CU1 Installation guide



After setup is completed, launch the System Center 2012 Configuration Manager Console and verify the build number of the console. If the upgrade was successful, the console build number will be 5.0.8239.1203.

SCCM 2012 R2 SP1 CU1 Installation guide


Open registry editor and check the HKLM\Software\Microsoft\SMS\Setup\ key. If the installation succeeded CULevel key value will be 1.

SCCM 2012 R2 SP1 CU1 Installation guide

You can also verify both client and console version using PowerShell :

  • Server : Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name “CULevel”
  • Console : (Get-Item ($env:SMS_ADMIN_UI_PATH.Substring(0,$env:SMS_ADMIN_UI_PATH.Length – 5) + ‘\Microsoft.ConfigurationManagement.exe’)).VersionInfo.FileVersion

SCCM 2012 R2 SP1 CU1 Installation guide


The client version will be updated to 5.0.8239.1203 (after updating, see section below)

SCCM 2012 R2 SP1 CU1 Installation guide

This update also brings the anti-malware client version to 4.7.0209.0. You can find the version information by clicking About on the Help menu of the Endpoint Protection client UI.

Package distribution

Navigate to Software Library / Packages / Configuration Manager Updates

  • You’ll see that your CU1 updates packages are created

SCCM 2012 R2 SP1 CU1 Installation guide

  • Go ahead and Distribute Content to your distribution points

SCCM 2012 R2 SP1 CU1 Installation guide

Updating the Clients

If you select the Automatically Apply option in the installation wizard, your client will update using your time frame settings.

  • Open the SCCM Console
  • Go to Administration / Site Configuration / Sites
  • Click the Hierarchy Settings in the top ribbon
  • Select Automatic Client Upgrade tab
  • The Upgrade client automatically when the new client update are available checkbox has been enabled
  • Review your time frame and adjust it to your needs

SCCM 2012 R2 SP1 CU1 Installation guide

If you select the Manually Apply option in the wizard, you will need to update your client manually.

This update contains 2 update packages for client installations. One for 32-bit clients and one for 64-bit clients.

Create two collections for the client upgrade. (If not already done in previous CU)

All-x64-based Clients

[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20inner%20join%20SMS_G_System_COMPUTER_SYSTEM%20on%20SMS_G_System_COMPUTER_SYSTEM.ResourceId%20%3D%20SMS_R_System.ResourceId%20where%20SMS_G_System_COMPUTER_SYSTEM.SystemType%20%3D%20%22X64-based%20PC%22″/]

All-x86-based Clients

[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20inner%20join%20SMS_G_System_COMPUTER_SYSTEM%20on%20SMS_G_System_COMPUTER_SYSTEM.ResourceId%20%3D%20SMS_R_System.ResourceId%20where%20SMS_G_System_COMPUTER_SYSTEM.SystemType%20%3D%20%22X86-based%20PC%22″/]

Adjust the package options to fit your environments and deploy the update to your clients.

Once deployed I like to create a collection that targets clients without the latest CU. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script)

[pastacode lang=”sql” message=”” highlight=”” provider=”manual” manual=”select%20SMS_R_SYSTEM.ResourceID%2CSMS_R_SYSTEM.ResourceType%2CSMS_R_SYSTEM.Name%2CSMS_R_SYSTEM.SMSUniqueIdentifier%2CSMS_R_SYSTEM.ResourceDomainORWorkgroup%2CSMS_R_SYSTEM.Client%20from%20SMS_R_System%20where%20SMS_R_System.ClientVersion%20!%3D%20’5.0.8239.1203′”/]

Happy updating ! 🙂

Comments (60)

list of auto insurances in Beaver Falls PA

08.17.2017 AT 10:29 AM
Actually, Spain is one of the few countries in the world whose national anthem doesn’t have any words! You might remember that no one was singing anything on the Spanish side yesterday.

Sam kachar

01.05.2016 AT 10:05 PM
If I check the don't upgrade servers will my 300 pull dps upgrade as they are site systems. The server admins don't want this hitting their servers until they qa it. But I wanna make sure it upgrades the dp site servers. What exactly does the check box for don't upgrade servers apply to? Is it all servers? Does it include site systems which are running on server os? We have just the primary and then lots of dps. I want them to upgrade the pull dps to the newer version.

Jonathan Lefebvre

01.06.2016 AT 10:48 AM
Hi Sam, The check box for Don't Upgrade servers is only for the SCCM client, not for site system servers. Installing CU on a primary server will NOT trigger an update on PullDP or other site server system. There is no real upgrade for PullDP. You should upgrade the SCCM client on those PullDP servers. You should also consider CU2 instead of CU1. Here the blog post about it : Thanks Jonathan


12.08.2015 AT 10:35 AM
Hello, I was wondering if this CU1 Update is supposed to fix the issue with Client Location Services not choosing the correct Management Point despite having the option enabled under the Site Hierarchy Properties which says "Clients Prefer To Use Management Points in Boundary Groups"...etc or something to that effect. I see in the MS Hotfix Details this update is supposed to address the above issue in "Standalone Primary" environments but nothing that says it would fix the same issue in a Hierarchy Environment. Thanks

auto owners insurance Crestview FL

08.17.2017 AT 10:36 AM
pita / sinceramente com pode um cara saber que tais organismo tem 34,000 mil anos, só espero que esse rapaz não apareça cheio de tentaculos com a manipulação dessas coisas.Gostei deste comentário ou não: 2


11.10.2015 AT 09:41 AM
Hello Mjqian, and anyone else interested: This is not the Microsoft specific explanation, but it does give background and reasoning why they did this. It's has to do with the security structure within windows 10. Start at 10:20 location on video for idea. I'm not advocating this site, nor affiliated with it.

Pushkar SIngh

11.07.2015 AT 12:11 PM
Thanks Benoit for this great post, Here i have some different senario I have A CAS 2 Primary and 7 Secondry Sites out of which 2 secondry site reporting to one and rest 5 are reporting to other. How am i suppose to install the cu 1 in my hirerarchy i mean do i rum it in cas update site DB and creates different packages and then distribute those packages to primary and secondry


10.27.2015 AT 08:50 AM
Benoit, I ready STGdb question and it seems very similar to our scenario but I wanted to get clarification. We have 1 primary site and we had someone come in to build and upgraded our 2012 our infrastructure to SP1 CU1. Much like STGdb, the version remains at 5.00.8239.1000 but our clients show as 1203. Based on your earlier comments, that seems perfectly normal. We have a single primary site which consists of 2 management points, a fall back management point, a application catalog, and a bunch of distribution points. What I do not get is that you stated the CU1 KB3074857 - Server update is for site servers only (ie just the primary site server), but the vendor pushed the update out to all the site systems collection (ie every sccm server). All the updates are failing, but it seems he incorrectly pushed it in the first place. If you have to manually install it in the first place, why would you ever deploy the server update? Is it just if you have a secondary site? Also, the Microsoft article I ready says it can also be installed on an SMS Provider, but I am not sure what that is or means. Any clarification would be very helpful. Thanks.

Benoit Lecours

10.30.2015 AT 09:06 AM
Hi Daemon, The Server Update is used for other Primary sites or site system hosting an SMS Provider. You can see if you have multiple SMS Provider in the console in Administration / Site System. Check the roles of each machine. Secondary sites are updated using the console. If you have a simple setup with one Primary Site and 1 SMS Provider, you won't need to use this update package.


01.18.2017 AT 04:36 AM
Caitlin and myself have not stopped laughing at ‘away in a manger’ done in a very unique way……it’s officially a first that someone managed to get a lipstick in a Christmas carol, the twirling was magnificent and the chesty cough was the icing on the Christmas cake……have a fantastic Christmas. Love jackie xxx


10.08.2015 AT 03:05 AM
Are you sure about the anti-malware client version to 4.7.0209.0 ?? My win 7 and 2012r2 machines are at before the update.


10.02.2015 AT 03:16 AM
Thanks for the Guide. After CU1 Installation unfortunately I have Problems with SUP - the WSUS Synchronization Fails. SMS_WSUS_SYNC_MANAGER says: WSUS Synchronization failed. Message: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr:😀oSync. The operating system reported error 2147500037: Unspecified error WCM.log: Failed to create assembly name object for Microsoft.UpdateServices.Administration. Error = 0x80131701. SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0) Checking runtime v4.0.30319... SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0) Found supported assembly Microsoft.UpdateServices.Administration version, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0) Found supported assembly Microsoft.UpdateServices.BaseApi version, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0) Supported WSUS version found SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0) Attempting connection to WSUS server:, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0) System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.Internal.ApiRemoting' threw an exception. ---> System.UnauthorizedAccessException: Access to the path 'Update Services' is denied.~ at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)~ at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)~ at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)~ at Microsoft.UpdateServices.Log.GetUsableLogFileName(String fileName, LogFileLocation& actualLogLocation)~ at Microsoft.UpdateServices.Log.InitializeFromConfig()~ at Microsoft.UpdateServices.Log.InitializeIfNeeded()~ at Microsoft.UpdateServices.Internal.ApiRemoting..cctor()~ --- End of inner exception stack trace ---~ at Microsoft.UpdateServices.Internal.ApiRemoting..ctor()~ --- End of inner exception stack trace ---~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0) Remote configuration failed on WSUS Server. SMS_WSUS_CONFIGURATION_MANAGER 02.10.2015 10:02:40 4304 (0x10D0)


10.28.2015 AT 01:44 PM
We had a similar issue with the Sync failing. It turned out that the problem was related to Shavlik Patch. We went to the catalog and uncheck the 3rd party patches we had selected for Shavlik Patch and the Sync started working again.


11.09.2015 AT 11:00 AM
Do you know if the Shavlik issue has been resolved?

Benoit Lecours

10.02.2015 AT 10:00 AM
Are you using a proxy or custom ports for WSUS ?


10.02.2015 AT 10:19 AM
Yes, we're using a Proxy for synchronizing software updates and downloading Content and custom ports 8530/8531 to contact WSUS.


10.05.2015 AT 06:35 AM
There was a problem with the Connection String to the external SQL Server inside the WSUS Config. Now everything is working fine again. Cheers Sam

Benoit Lecours

10.09.2015 AT 06:38 AM
Great !


10.01.2015 AT 05:54 PM
Can I upgrade the client from R2CU5 directly to R2SP1CU1?

Benoit Lecours

10.02.2015 AT 10:00 AM


09.28.2015 AT 03:35 PM
Can I install CU1 immediately after SP1? Reboot necessary? Any amount of time or process I need to wait for before proceeding with the CU install?

Benoit Lecours

09.30.2015 AT 07:25 AM
You can install CU1 as soon as the SP1 installation is complete. If you are in a hierarchy, be sure that replication is complete.


09.28.2015 AT 02:40 PM
Thanks for the GREAT article, it helps me to verify our own install. We are running SCCM 2012 R2 SP1 CU1. Our console and clients are updated and running 5.00.8239.1203 but the site version remains at 5.00.8239.1000 (even thought we told it to update everything during the CU1 install). We only have the one site server but I am wondering if we need to deploy the CU1 server update package (CU1 KB3074857 - server update) that the CU1 update installed onto our site? I didn't see that step mentioned in the article so I don't know if the SCCM 2012 R2 SP1 CU1 site version should remain at 1000 or whether it should also change to 1203? Thanks again!!

Benoit Lecours

09.30.2015 AT 07:27 AM
Site version only update to major version (RTM,SP1,SP2), Cumulative Update doesn't reflet on the site version. If you applied CU1 on your site server you don't need to apply the package. The package is created for other site servers which you don't have.


09.22.2015 AT 09:05 AM
Hi, As we still have mixed environment of 2007 & 2012. Will this new "Automatic Client Upgrade" ONLY upgrade those 2012 clients or 2007 clients? Thanks Tim

Benoit Lecours

09.30.2015 AT 07:35 AM
Hi Tim, I guess it should work but haven't test that scenario.


09.22.2015 AT 06:56 AM
Hi Benoit, thanks a lot for sharing your experiences, perfect guides for updating the SCCM environment. At the moment we are planing to update our environment from version SCCM 2012 R2 CU to SP1 CU1. Now i have a question. If i'm right we have to do the update in two steps because of the server replication delay time (first SP1 and a few days later CU1). It would be interesting to know if we have to update the clients only once or do we have to rollout the SP1 client update first? Is it possible to do the step from R2 CU4 to R2 SP1 CU1 directly? rilak

Benoit Lecours

09.30.2015 AT 07:36 AM
You can update your client directly to SP1 CU1.


09.03.2015 AT 05:27 AM
Hi Mr. Lecours Thanks for your pretty helpful post. i have installed cu1 and successfully complete (fires primary site and then secondary site). but client version on my ConfigMgr server (Primary and Secondary Sites) still is 5.00.8239.1000 what shall i do?


08.25.2015 AT 08:22 AM
This update seemed to break HTTPS communication for me. I have my SCCM environment working on PKI infrastructure and after installing this update, WSUS and IIS seem to be broken and complaining about Ports not communicating over HTTP. Any suggestions?


09.02.2015 AT 06:05 AM
I have the same problem after update. I have error "Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error" in mpcontrol.log I try run iisreset and register but I have no luck.


09.16.2015 AT 12:11 AM
Hi Michael & Oleg Did either of you manage to fix your issues with HTTPS? We haven't applied the update yet, and use HTTPS for MP comms...


09.22.2015 AT 07:29 AM
Just try to reinstall SCCM Client on site server (i do it over push). I don't now how, but it's resolve my issue with HTTPS 500 MP error.


08.22.2015 AT 04:00 AM
Hi Thanks four your guide. Sorry for my english : it's very poor. Well, i have an infrastructure TEST. It's an environnelent cloud installed by my collegues. I have one server primary sccl 2012 R2 with 2 servers only with a role DP. yesterday i have upgraded to SP1 without problem. But now, i have 1 problem : new package named "config manager client" (size 180 mo) doesn't copy on DP. WHY ? What do i do on servers DP ? Can you help me ? Thanks in advance Regards

Benoit Lecours

08.27.2015 AT 09:22 AM
Regardez les logs de distribution afin de savoir ce qui ne fonctionne pas. Les DP n'ont pas besoin d'être mis à jour à SP1 mais leur client respectif oui.


08.20.2015 AT 09:33 AM
Great post, thanks. Also, is it correct that the Site version and the Admin Console version numbers should not match?

Benoit Lecours

08.21.2015 AT 10:12 AM
Yes, Console will shows CU version but the site version is updated only on major release. (RTM, R2, SP1)

John Bryntze

08.21.2015 AT 03:26 AM
Great post! I was also wondering why Site Version isn't updated from SP1... it says it does.. probably do but not visible?

Benoit Lecours

08.21.2015 AT 10:05 AM
Thanks ! Sorry but I don't understand your question


08.19.2015 AT 08:46 AM
Hi Benoit, and thanks for this great step by step documentation. We have just done the upgrade in SP1 CU1, and some question stay : Is it normal that site version stay in 5.00.8239.1000 (I think so, it's the same on your picture) ? And what about the MP server client version (which is 5.00.8239.1000 too) ? Thanks Fabrice


08.25.2015 AT 04:22 PM
I've just the same problem ;/ Any ideas?


08.17.2015 AT 10:17 AM
Thanks for this goot documentation step by step Just a question about the console after the installation of the CU Is it possible to create a device collection to check the installed Console (r2 sp1) CU1 ? i don't found any information in the registry to check the version 5.0.823.1203 Many Thanks François


08.15.2015 AT 11:21 AM
Thanks for the write up. It looks very good. Since there are no updates that impact the imaging process do you still recommend updating provisioning Task Sequences to include the new client? I haven't dug into the client package yet, but I assume that this is a MSP patch that goes to the SCCM 2012 R2 SP1 client? If so, that means we would need to use the same existing methods to install a PATCH during installation of the SCCM client during OSD.


10.14.2015 AT 07:46 AM
James, I was wondering how you added the update to your OSD task sequences as well? I didn't see a reply and was hoping someone could chime in with their suggestion as I'm struggling to come up with the best solution.