Extended Security Updates For Windows Server 2012
Leana Eckes
The Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. Windows Server Long Term Servicing Channel (LTSC) has a minimum of 10 years of support: five years for mainstream support and five years for extended support, which includes regular security updates.
However, once products reach the end of support, it also means the end of security updates and bulletins. This scenario can cause security or compliance issues and put business applications at risk. Microsoft recommends that you upgrade to the current version of Windows Server for the most advanced security, performance, and innovation.
Extended Security Updates for Windows Server include security updates and bulletins rated critical and important for a maximum period of time from the end of extended support, depending on the version. They're available free of charge for servers hosted in Azure, and available to purchase for servers not hosted in Azure. Extended Security Updates don't include new features, customer-requested non-security hotfixes, or design change requests. For more information, see Lifecycle FAQ - Extended Security Updates.
Migrate the affected existing Windows Server workloads as-is to Azure Virtual Machines (VM). Migrating to Azure automatically provides Extended Security Updates for the defined period. There's no extra charge for Extended Security Updates on top of an Azure VM's cost, and you don't need to do any other configuration.
Purchase an Extended Security Update subscription for your servers and remain protected until you're ready to upgrade to a newer Windows Server version. When you have an Extended Security Update subscription, Microsoft provides updates for the defined period. Once you purchase a subscription, you must get a product key and install it on each applicable server. For more information, see How to get Extended Security Updates.
When you get the Extended Security Updates depends on which version of Windows Server you're using and where it's hosted. The following table lists the Extended Security Update duration for each version of Windows Server.
You can migrate your on-premises servers that run a version of Windows Server that has reached or is almost reaching the end of extended support to Azure, where you can continue to run them as virtual machines. When you migrate to Azure, you not only stay compliant with security updates, but also add cloud innovation to your work. The benefits of migrating to Azure include:
In-place upgrades can typically upgrade Windows Server through at least one version, sometimes even two versions. For example, Windows Server 2012 R2 can upgrade in-place to Windows Server 2019. However, if you're running Windows Server 2008 or Windows Server 2008 R2, there's no direct upgrade path to Windows Server 2016 or later. Instead, you must first upgrade to Windows Server 2012 R2, then upgrade to Windows Server 2016 or Windows Server 2019.
If you're running a version of SQL Server that reached or is reaching the end of extended support, you can also benefit from Extended Security Updates for SQL Server. For more information, see Extended Security Updates for SQL Server and Windows Server.
The Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. They are not intended as a long-term solution, but rather as a temporary bridge to stay secure while one migrates to a newer, supported platform. It includes Critical* and/or Important* security updates up to three years after the product's End of Extended Support date.
* Extended Security Updates for select Embedded products are available via OEMs. All others are available via volume licensing.
** One additional year of ESU is available for Windows Server and SQL Server 2008 and 2008 R2 only on Azure.
General technical support and troubleshooting assistance is not available for products that have reached the end of lifecycle (the end of extended support date shown in the table above). The purchase or usage of ESUs does not change the associated products support lifecycle.
On Azure: Extended Security Updates are free for VMs in Azure. These include destinations such as Azure Virtual Machines (VMs), Dedicated Host, Azure VMware Solution, Nutanix Cloud Clusters on Azure, and the Azure Stack portfolio. Eligible customers can use the Azure Hybrid Benefit (available to customers with active Software Assurance or Server Subscriptions) to obtain discounts on the license of Azure Virtual Machines (IaaS) or Azure SQL Database Managed Instance (PaaS).
On-premises/hybrid environments: Extended Security Updates are available through specific volume licensing programs or through Azure Arc-enabled servers for Windows Server and SQL Server. Contact your Microsoft partner or account team to learn more. ESUs for select Embedded products are available via your embedded device manufacturer. For ESUs available through the Dynamics 365 Cloud Migration offer, customers can purchase via the Cloud Service Provider (CSP) licensing program.
On Azure: Applicable virtual machines (VMs) hosted in Azure are automatically enabled for ESUs if the VM is configured to receive updates, and these updates are provided free of charge.
On-premises/hybrid: Customers can install ESUs by accessing their multiple activation keys through the M365 Admin Center portal or directly installing ESUs through Azure Arc-enabled servers. Learn more about the installation details here for Windows Server and here for SQL Server installation.
You can acquire ESU licenses either directly from Microsoft or from your partner such as an EA Reseller or CSP partner (eligible to sell ESUs as of Oct. 1, 2023 for both types of ESUs mentioned above).
You can apply ESU enabled by Azure Arc and ESU licenses (SKUs) to any properly licensed server or operating system, whether it's deployed on-premises or on non-Azure clouds (including hosters). If you're running your OS in another cloud, make sure to adhere to the respective outsourcing or License Mobility policies for the underlying software.
For ESUs enabled by Azure Arc, you can select either licensing option, irrespective of how the underlying server or operating system is licensed. You can also mix between pCore and vCore licensing for your VMs. Make sure you follow the allowed virtualization entitlements for your underlying software.
For customers who enroll in ESUs enabled by Azure Arc after the end of support dates (July 11, 2023 for SQL Server 2012 Year 2 and October 10, 2023 for Windows Server 2012/R2), they will be billed a one-time upfront charge for the months they missed after the end of support date, with billing coming in at the end of the month. For example, if a customer enrolls in January 2024, they will receive a one-time back-bill for October, November, and December 2023 during their first month.
With ESU enabled by Azure Arc, you can link paid ESU coverage to your eligible Disaster Recovery Benefit servers without incurring additional cost. Make sure you follow the underlying Disaster Recovery Benefit policy for your software.
Extended Security Updates licenses (SKUs) obtained through Commercial Licensing are valid for annual coverage periods, such as Year 1 ESU, Year 2 ESU, and Year 3 ESU. Each ESU license entitles the specific server or operating system to receive security updates for the duration defined by that SKU (not by calendar year). For a comprehensive list of coverage periods, please reference the table at the top of this page.
You may only acquire ESU Year 2 and Year 3 licenses if you've also acquired the ESU license(s) for the prior year(s). For example, before you acquire the ESU Year 2 license, you must also acquire ESU Year 1.
ESU licenses correspond to the number of underlying core licenses of your server or operating system. You can license Windows Server and SQL Server based on either physical cores (pCores) or virtual cores (vCores). With ESUs sold through Commercial Licensing, the licenses must align with how you've licensed the underlying Windows Server or SQL Server.
In summary, when licensing with Commercial Licensing ESUs (SKUs), the number of ESU core licenses must align with how you've licensed the underlying Windows Server or SQL Server. Also, with the Commercial Licensing ESUs, you must ensure that the ESU edition matches the edition of your underlying software. For instance, if you have Windows Server Datacenter on your VM, you should acquire ESU Datacenter edition if you want to license at the vCore level.
The majority of WS 2012 licenses were sold on a per Processor or per Core basis (not on a per VM basis). For purposes of ESU core calculation, assume each 2 Processor license (the minimum per server) is equivalent to 16 pCores.
With ESU (SKUs) through Commercial Licensing, you can also cover your eligible Disaster Recovery Benefit servers without acquiring additional licenses. Make sure you follow the underlying Disaster Recovery Benefit policy for your software.
Customers who migrate workloads to Azure will have access to ESUs for SQL Server 2012, and Windows Server 2012 and 2012 R2 for three years after the End of Support dates for no additional charge above the cost of running the virtual machine. This currently includes Azure destinations such as Azure virtual machines (VMs), Dedicated Host, Azure VMware Solution, Nutanix Cloud Clusters on Azure, and Azure Stack portfolio.
Free ESUs will be available for customers on Azure, which includes workloads running on Azure Virtual Machines, Azure Dedicated Host, Azure VMWare Solutions, Nutanix Cloud Clusters on Azure, and Azure Stack Hub/Edge/HCI.
For Windows Server 2012/2012 R2: ESUs include provision of Security Updates and "Security Update Severity Rating System" rated "critical" and "important," for a maximum of three years after end of support.
d3342ee215