As mentioned in an earlier article, security fixes are Cumulative Update level specific. How that would turn out in practice remained to be seen at the time of writing that article, but at the moment it means there are two different versions of the security update, one for CU1 and one for CU2 (or the re-release of CU2 actually, version 15.0.712.24).
Be warned that both files carry the same file name, I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2013-KB2874216-x64-en-CU2.msp.
As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.
You can download the security updates here:
· Security Update for Exchange Server 2013 CU1 (v15.0.620.32)
· Security Update for Exchange Server 2013 CU2 (v15.0.712.26)