Operating System Upgrade Service Release 2003.1.1sr2 (win-OS-Upgrade-K9.2003-1-1-sr2.exe)

Release date: 22 March 2007

Document Revision 1

Microsoft provides monthly releases of security hotfixes on the 2nd Tuesday of each month. Cisco’s monthly OS Service Release is scheduled to post on the 3rd Tuesday of each month.

Cisco will continue to test and release Microsoft hotfixes that meet our criteria for Critical hotfixes in 1 business day. Any applicable critical hotfix released by Microsoft will be added to the Cisco IP Telephony Operating System, SQL Server, Security Updates document with and explanation about whether or not it is critical for Cisco IP Telephony servers and when it will be released by Cisco.

Caution: Do not apply this service release with OS version 2000.4.x or previous OS release trains. This service release is only compatible with the OS 2003.1.1 release trains. You should apply this service release to all servers in your cluster. This installation causes call-processing interruptions and requires a reboot. Close all programs before proceeding including Internet Explorer to avoid conflicts with the software being installed and/or upgraded.

General Note: If the following messages are displayed during the installation, please click “OK” and continue. These will not affect this upgrade. The causes for these messages are under investigation:
            * The Instruction at "0X0cda00dd8" referenced memory at "0X0cda00dd8". The memory could not be read. Click OK to terminate the program (CSCeb31088)
            * The Instruction at "0X000000000" referenced memory at "0X000000000". The memory could not be read. Click OK to terminate the program (CSCed45218)
            * AddAnonymousWebUserAccess failure during CallManager installations (CSCed27066)

Naming Convention Change

For operating system, SQL Server, and Cisco IP telephony application software updates, Cisco has replaced the term, support patch, with the term, service release. Service releases provide the same functionality as support patches; that is, they provide bug fixes, etc.

Review the file naming convention before you apply the software update.

<software_name>-<software version>_<sr(x)>

<software name> equals the name of the application; <software version> equals the maintenance release; <sr(x)> equals the version of the service release

For example, review the following file name:

win-OS-Upgrade-K9.2000-4-2sr2.exe

win-OS-Upgrade indicates that this file is an operating system upgrade file; K9 indicates that you download the file from the Cisco cryptographic website; 2000-4-2 indicates the operating system maintenance release version, and sr2 indicates that this file is the first version of the operating system upgrade service release.

Contents

This document contains information on the following topics. Click the hyperlink to go directly to the section.

· Cisco Notification Tools

This section provides information about how to receive email notifications when new updates post to Cisco Connection Online.

· Information about This Service Release

This section provides general information and specifies the affected Cisco IP telephony applications, supported servers, and hotfixes that are automatically installed with this software update.

· Installing the Service Release

This section provides procedures for installing this service release on supported servers.

· Verifying Hotfixes By Using Microsoft Baseline Security Analyzer

This section provides a list of hotfixes that Microsoft Baseline Security Analyzer. See this section if you want to verify which hotfixes exist on your server.

· Uninstalling Hotfixes

This section provides information about how to uninstall the Microsoft hotfixes.

Cisco Notification Tools

Cisco CallManager Notification Tool: Cisco has replaced the current Cisco CallManager notification tool with a new, more robust notification tool that is based on your Cisco.com profiles. This new tool delivers email notifications for individual Cisco voice products that you select. Follow the steps below to sign up for the Cisco Voice Technology Group Subscription Tool:

· Login with your Cisco.com account information at this link: http://www.cisco.com/cgi-bin/Software/Newsbuilder/Builder/VOICE.cgi

· Select "CallManager Cryptographic Software including OS updates" to receive notification when new operating system updates are posted.

· Select any other products updates that you wish to receive.

· Click update at the bottom of the page.

· Confirm your selections.

You may see this message at the bottom of the page: "Your Profile Currently Indicates that you do not wish to receive email from Cisco.”

To be able to receive information updates, you must update your email preferences. Click on the link to update your email preferences (located in the Other Information section). Click submit when you are done.

If you have enabled email notification, you may exit now. If you have not enabled email notification, then you will need to repeat the steps above.

This new software notification tool requires a valid Cisco.com login. If you do not currently have a Cisco.com password, please register with Cisco.com at: http://tools.cisco.com/RPF/register/register.do

Cisco PSIRT Advisory Notification Tool: This email service provides automatic notification of all Cisco Security Advisories that are released by the Cisco Product Security Incident Response Team (PSIRT). Security Advisories, which describe security issues that directly impact Cisco products, provide a set of required actions to repair these products. To subscribe, click the following URL and perform the tasks as directed on the web page: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html#SecurityInfo

Information about This Service Release

Review the following information before you install the service release:

· Cumulative Severity: Critical

· Description: OS Upgrade 2003.1.1 Service Release 2

· Minimum OS requirements: Fresh install of OS 2003.1.1

· Affected Cisco IP Telephony Applications: All compatible versions of Cisco CallManager, Cisco IP Interactive Voice Response (IP IVR), Cisco IP Call Center Express (IPCC Express), Cisco Personal Assistant (PA), Cisco Emergency Responder (CER), Cisco Conference Connection (CCC), Cisco Customer Voice Portal (CVP), Cisco IP Queue Manager and Cisco MeetingPlace.

· Supported Servers: The list of supported servers can be found in the 2003.1.1 Release Note http://www.cisco.com/univercd/cc/td/doc/product/voice/iptel_os/install/rn200311.htm

See the End-of-Life Policy for more details.

· New HotFixes/Resolutions in this release: CSCsd81429, CSCsh93237

· Install time: < 15 Minutes per server

· Reboot required: Yes

· Replaces previously posted files:

· Log File Location: C:\Program Files\Common Files\Cisco\Logs\OS

· Known Caveats: Please refer to the ‘Known Caveats’ section below.

Note: Apply this service release to all servers in your cluster.

Caution: This installation causes call-processing interruptions and requires a reboot. Close all programs before proceeding including Internet Explorer.

This service release includes the following hotfixes:

Table: Hotfixes That Are Included in the Service Release
Bulletin	Knowledge Base Article or Cisco Defect	Description	1^st Released in Support Patch/Service Release:	Uninstallation Supported
MS07-008	928843	Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843)	2003.1.1sr1	Yes
MS07-016	928090	Cumulative Security Update for Internet Explorer (928090)	2003.1.1sr1	Yes
MS07-006	928255	Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)	2003.1.1sr1	Yes
MS07-011	926436	Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)	2003.1.1sr1	Yes
MS07-012	924667	Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667)	2003.1.1sr1	Yes
MS07-013	918118	Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118)	2003.1.1sr1	Yes
	CSCsh91439	MCS-OS - MBSA Upgrade to 2.0.1 required	2003.1.1sr1	No
	CSCsh91735 931836	February 2007 cumulative time zone update for Microsoft Windows operating systems	2003.1.1sr1	Yes
	CSCsd81429	Third Party Director Software Not Reporting All Environment Variables on IBM Servers	2003.1.1sr2	No
	CSCsh93237	Default Microsoft Video Driver Selected for MCS-7825-I2-IPC2	2003.1.1sr2	No
	CSCsi00900	CM 4.3(1) install fails on OS 2003.1.1 SR1	2003.1.1sr2	No

Installing the Service Release

Perform the following procedure to install the service release:

1. Disable all virus scanning software or Intrusion Detect Software (such as CSA) prior to running this installation.

2. Download the file to a location that you will remember.

3. Double click the executable.

4. To acknowledge that the server runs OS version 2003.1.1 and that you are not installing the service release through Terminal Services, click Yes. If the server does not run OS version 2003.1.1, install it before you run this service release.

5. Files automatically extract and install on the server.

6. After the installation finishes, it will report the number of errors detected and ask if you want to view the logfile.

7. If there are no errors detected, you can select “No”; otherwise click yes to view the log. There is an ERRORS section at the very end of the logfile to assist in finding the errors.

8. Click OK to confirm the reboot

9. Perform this procedure on all supported servers in the cluster.

10. If you choose to do so, you can use the Baseline Security Analyzer to verify the hotfixes that are installed on each server. See the “Verifying HotFixes By Using Baseline Security Analyzer” section.

Verifying HotFixes By Using Microsoft Baseline Security Analyzer

If you want to do so, you can use the Microsoft Baseline Security Analyzer utility (run c:\utils\mbsa_scan.cmd) to verify which hotfixes are installed on the server.

Microsoft Baseline Security Analyzer (MBSA)

Make sure that you review the Reason column of the MBSA report to identify whether the hotfix should be installed. The following table shows expected results from MBSA on a fully patched system.

Scanned with MBSA version: 2.0.6706.0

Security update catalog: Microsoft Update (offline)

Catalog synchronization date: 2007-03-13T18:37:59Z

Security assessment: Potential Risk

Security Updates Scan Results

Issue: Windows Security Updates

Score: Check failed (non-critical)

Result: 3 service packs or update rollups are missing.

Update Rollups and Service Packs

Current Update Compliance

| MS06-064 | Installed | Security Update for Windows Server 2003 (KB922819) | Low |

Note: The term, Note, in the Message column indicates that the utility is not able to detect whether the hotfix is installed. Review the information in the Reason column for more information.

Known Caveats

Uninstalling Hotfixes

If you need to uninstall this OS Service Release or one of its hotfixes, follow the uninstall procedures exactly as they appear in this section. Most hotfixes have an uninstall program provided by Microsoft, but there are caveats associated with uninstalling the hotfixes, This section provides procedures to uninstall a single hotfix and to uninstall the entire OS Service Release.

Perform the following procedure to uninstall a single hotfix:

1. Verify whether the hotfix can be uninstalled by checking the Uninstall Supported column of the Hotfixes That Are Included in the Service Release table. If No displays in that column, you cannot use this procedure to uninstall the hotfix. The only way to return the server to a state without the hotfix, is to fail back to a saved copy of the mirrored drive or rebuild the server, install the IP Telephony application, and restore the database. If Yes displays in the Uninstall Supported column, continue with Step 2.

2. Choose Start > Settings > Control Panel > Add/Remove Programs. Hotfixes appear near the bottom of the Add/Remove Programs window. Each hotfix begins with Windows 2003 Hotfix and is followed by the Microsoft Knowledge Base (KB or Q) article number. You can use the Hotfixes That Are Included in the Service Release table to convert the security bulletin number (MS05-053) to a KB or Q number (KB896424).

3. Select the hotfix you want to uninstall and click Change/Remove. The Windows 2003 <hotfix number> Removal Wizard displays.

4. Click Next. The steps may differ, depending on the uninstall program provided with the hotfix. If a window appears with a message asking whether you want to uninstall the hotfix, click Yes.

5. It’s very likely that the Inspecting Current Configuration step of the Removal Wizard will detect a list of hotfixes or programs that may be affected by removing this hotfix. Record this list. All the hotfixes listed will need to be re-installed and any applications listed should be checked to confirm they are still working properly. Removing this hotfix will replace the system files it backed up with it was originally installed. Other hotfixes or applications may be dependant on these same files. The Removal Wizard does not know whether or not the applications or hotfixes will be affected. It just has detected that they have been installed after the hotfix being removed was installed. After recording the list, click Yes.

6. Click Finish. The server will reboots, if needed. If you are prompted to reboot, click Yes.

7. If the Inspecting Current Configuration step of the Removal Wizard listed any other hotfixes, reinstall those hotfixes now. The last OS Service Release with the individual hotfix installations can be found in c:\Program Files\Cisco\Updates\2003.1.1SR#, where “#” equals the Service Release number (for example, 2003.1.1sr1). The files will be named by their KB or Q number and should match what you have written down. Double-click the first hotfix that is on your list of hotfixes that need to be reinstalled, and follow the prompts to install the hotfix. Repeat this step for each hotfix you need to reinstall. You do not need to reboot between hotfixes. Once you have reinstalled all the hotfixes on your list, reboot the server.

8. If the Inspecting Current Configuration step of the Removal Wizard listed any applications, confirm that they are still working properly.

Perform the following procedure to uninstall this entire OS Service Release:

1. In order to determine what hotfixes need to be uninstalled, you need to determine what the OS level was before you applied this Service Release. The minimum OS level for this Service Release is OS Upgrade 2003.1.1, so that is the starting point. To determine what Service Releases where applied after OS Upgrade 2003.1.1, use the History.log file. Click Start > Cisco Install Logs (C:\Program Files\Common Files\Cisco\Logs)

2. Double-click History.log (or just History if known file extensions are hidden)

3. Find OS Upgrade 2003.1.1 and search down the list for the last 2003.1.1SR# before the one you are trying to uninstall. Record this Service Release number.

4. Use the Hotfixes That Are Included in the Service Release table to find all the hotfixes installed after the Service Release recorded in the previous step.

5. Choose Start > Settings > Control Panel > Add/Remove Programs. Hotfixes appear near the bottom of the Add/Remove Programs window. Each hotfix begins with Windows 2003 Hotfix and is followed by the Microsoft Knowledge Base (KB or Q) article number. You can use the Hotfixes That Are Included in the Service ReleaseHotfixes That Are Included in the Service Release table to convert the security bulletin number (e.g. MS05-053) to a KB or Q number (e.g. KB896424).

6. Select the hotfix you want to uninstall and click Change/Remove. The Windows 2003 <hotfix number> Removal Wizard displays.

7. Click Next. The steps may differ, depending on the uninstall program provided with the hotfix. If a window appears with a message asking whether you want to uninstall the hotfix, click Yes.

8. It’s very likely that the Inspecting Current Configuration step of the Removal Wizard will detect a list of hotfixes or programs that may be affected by removing this hotfix. Record this list. All the hotfixes listed will need to be re-installed and any applications listed should be checked to confirm they are still working properly. Removing this hotfix will replace the system files it backed up with it was originally installed. Other hotfixes or applications may be dependant on these same files. The Removal Wizard does not know whether or not the applications or hotfixes will be affected. It just has detected that they have been installed after the hotfix being removed was installed. After recording the list, click Yes.

9. Click Finish. The server will reboots, if needed. If you are prompted to reboot, click Yes.

10. Follow steps 6 - 9 until all the hotfix you want to uninstall have been removed.

11. If the Inspecting Current Configuration step of the Removal Wizard listed any other hotfixes, reinstall those hotfixes now. The last OS Service Release with the individual hotfix installations can be found in c:\Program Files\Cisco\Updates\2003.1.1sr#, where “#” equals the Service Release number (for example, 2003.1.1sr1). The files will be named by their KB or Q number and should match what you have written down. Double-click the first hotfix that is on your list of hotfixes that need to be reinstalled, and follow the prompts to install the hotfix. Repeat this step for each hotfix you need to reinstall. You do not need to reboot between hotfixes. Once you have reinstalled all the hotfixes on your list, reboot the server.

12. If the Removal Wizard listed any applications in the Inspecting Current Configuration step, confirm that they are still working properly.