"Exchange is one of the most highly-critical business applications, and it's not something you want to shut down, especially in December," Storms said.
But he wasn't ready to tell companies to pass on the Exchange update. "They may well release some easily-performed mitigations next week," Storms said, referring to Microsoft's habit of offering work-arounds to keep software secure until a patch can be applied. "We'll have to wait and see. This one may have the typical risk-reward equation.... Is it worth the risk to patch or better to leave it alone?"
If companies apply the Exchange update and break their mail systems, especially during a very busy time of the year for retailers, it could be chaos.
Henry, who regularly talks with Microsoft after they've issued their advance notification, said that the Exchange update will address new vulnerabilities in the Outside In code libraries that Microsoft licenses from Oracle.
Exchange uses the libraries to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. In the past, Outside In bugs have resided within the Exchange code base that parses those attachments.
Oracle patched two low-threat Outside In bugs in a massive Oct. 16 security update.
If Microsoft ships all seven of the planned updates -- occasionally it holds one back at the last minute -- the company will have issued 83 security bulletins in 2012, a 17% drop from 2011's 100 updates, said Storms.
The individual patch count, however, will slip just 5%, with 196 in 2012 compared to 206 the year before.
Microsoft will release the seven updates at approximately 1 p.m. ET on Dec. 11.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.