The only differences in applicability between 7.5.0.4 (x64) and 7.2.6.3 (x64) are:
- Microsoft Windows Unified Data Storage Server 2003 x64 Edition
- Microsoft Windows Server 2003 for 64-bit Extended Systems
- Microsoft Windows Storage Server 2003 x64 Editions
- Microsoft Windows Storage Server 2012
It seems the < = 7.2 line is applicable to Server 2K3 while the > 7.3 line excludes Server 2K3. Even though the bundled components are newer in the 7.2.6.3 patch, it is not possible to upgrade from 7.5.0.4 without first uninstalling. The opposite is possible though.
Theoretical: I have a Windows Server 2012 R2 box running SMH 7.4.2.4 (released Mar 30, 2015)
- On June 15th I notice there is an update to 7.5.0.4. I take the upgrade and have a new version of OpenSSL (1.0.1m)
- On August 18th I notice there is an update to 7.2.6.3 which includes OpenSSL 1.0.1o
- I have been waiting for a new version of OpenSSL to address CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792.
If you were to present me with a list of version numbers of SMH and ask me to pick the most secure (based solely on version number), I would currently pick 7.5.0.4. The truth is, when I "upgrade" from 7.2.6.3 to 7.5.0.4, I am now less secure due to having at least five known vulnerabilities in OpenSSL that I have effectively unpatched.
Andrew_Haak wrote:
Always check the supported OS and install the latest version for your OS not the latest by date.
According to this, you are guiding me to install 7.5.0.4, which is inherently less secure 7.2.6.3. In a deployment situation where I scan my network for installed versions of SMH, I would see endpoints running 7.2.6.3 and "upgrade" them to 7.5.0.4, which is installing an older version and actually making them less secure. Is there something I am missing in this scenario or does it make sense?
Below is a comparison of the two versions in question, their supported OS list, and the version of OpenSSL included:
Thank you!