Vulnerability Affecting SQL Server 2008, 2008 R2, 2012, 2014

New Vulnerability Affecting SQL Server 2008, 2008 R2, 2012, and 2014

It's Patch Tuesday, and the last time there was a security vulnerability with direct SQL Server implications was in August. Today Microsoft released Security Bulletin MS15-058 (and KB #3065718), which has both GDR and QFE updates for all supported branches of SQL Server, and even a couple of unsupported branches. I wanted to post a quick table so you can see which one you should apply, and why.

As a note, GDR updates (GDR = "General Distribution Release") are those you apply to instances where you don't want all of the fixes and enhancements that have been offered in Cumulative Updates. If you want those fixes, you should take the QFE update instead (QFE = "Quick Fix Engineering"). You can see a more detailed explanation of the differences here.

Also, note that SQL Server 2014 Service Pack 1 was not affected by the security vulnerability, but a GDR fix was pushed out to address a separate issue with Columnstore indexes (see KB #3067257).

Also, since the security release last week, a new Cumulative Update (#7, 11.0.5623) has been released for SQL Server 2012 Service Pack 2, so if you are not sticking to the GDR branch there, you should install the Cumulative Update (which has 38 total fixes) rather than the security fix on its own.

Finally, in general, I'm always going to recommend that you go to the QFE rather than GDR, and that you move to the most recent Service Pack branch as quickly as possible. However, I understand that sometimes regression testing, waiting for catch-up of CU fixes, or even bugs (cough cough 2014 SP1 CU1 cough cough) can sometimes delay that. On the GDR rows, I'm recommending the GDR fix only for cases where moving to the QFE or a later service pack / CU is not practical.

If your version /
service pack is…
…and @@VERSION is in the range… …you should install…
SQL Server 2014   (build list)
SP1 12.0.4050 => 12.0.4212 GDR 12.0.4213 KB #3070446
12.0.4214 => 12.0.4415 CU #1 12.0.4416 KB #3067839
RTM 12.0.2000 => 12.0.2268 GDR 12.0.2269 KB #3045324
12.0.2270 => 12.0.2547 QFE 12.0.2548 KB #3045323
SQL Server 2012   (build list)
SP2 11.0.5058 => 11.0.5342 GDR 11.0.5343 KB #3045321
11.0.5344 => 11.0.5622 CU #7 11.0.5623 KB #3072100
SP1 11.0.3000 => 11.0.3155 GDR 11.0.3156 KB #3045318
11.0.3157 => 11.0.3512 QFE 11.0.3513 KB #3045317
RTM 11.0.2100 => 11.0.2999 Move to a newer branch
SQL Server 2008 R2
SP3 10.50.6000 => 10.50.6219 GDR 10.50.6220 KB #3045316
10.50.6221 => 10.50.6528 QFE 10.50.6529 KB #3045314
SP2 10.50.4000 => 10.50.4041 GDR 10.50.4042 KB #3045313
10.50.4043 => 10.50.4338 QFE 10.50.4339 KB #3045312
SP1 or RTM 10.50.1600 => 10.50.3999 Move to a newer branch
SQL Server 2008
SP4 10.0.6000 => 10.0.6240 GDR 10.0.6241 KB #3045311
10.0.6242 => 10.0.6534 QFE 10.0.6535 KB #3045308
SP3 10.0.5500 => 10.0.5537 GDR 10.0.5538 KB #3045305
10.0.5539 => 10.0.5889 QFE 10.0.5890 KB #3045303
SP2, SP1 or RTM 10.0.1600 => 10.0.5499 Move to a newer branch

For more details on individual builds available, at least for SQL Server 2012 and SQL Server 2014, see these blog posts:

Also, I've had a couple of questions asking about 2008 SP4 and 2008 R2 SP3; specifically, why there are separate GDR and QFE paths. This is kind of confusing, because these two paths exist so that you can choose whether or not to take non-security hotfixes, which are typically released via Cumulative Updates; there have been no CUs for 2008 SP4 or 2008 R2 SP3. However, there have been a couple of critical on-demand (COD) hotfixes released, which I documented here:

Comments ( 14 )

          • Harry Hirsch says:

            Hi Aaron,

            finaly i found in your post a comprehensive explanation about the difference between gdr and qfe.

            Thanks!

          • Jeff Bandy says:

            Is there a command line switch to not restart the SQL service at the end of the patch? We do SQL patching and Windows patching separately and we'd like to only have the interruption of the post Windows patching reboot.

          • Aaron Bertrand says:

            Unfortunately, I don't see such an option even in the 2016 documentation; that doesn't mean there isn't an undocumented way to do that, but I don't know what it is.

          • John L says:

            I see in the KB30704466 that SQL 2014 SP1 is not affected by the vulnerabilities discussed. Good to know that I don't have to apply that fix to out SQL 2014 servers.

          • Garry Bargsley says:

            I have a question. Our infrastructure allowed these SQL updates to be pushed during Windows patching last week. So all of our SQL servers were updated to reflect the version with the security fix. If they were applied, does that include anything that would have been in a CU or SP of a lower number? Trying to see if we need to apply CU and SP as well to get all the fixes and really be at the appropriate version number.

          • Aaron Bertrand says:

            Garry, just like a cumulative update, the fixes include anything from a lower build number.

          • Dale Dille says:

            Looks like another security update from Microsoft has broken the Group Policy settings on the server, which in turn caused this update to not install. Am in the process of researching further – – anything anyone here might know to help troubleshoot would be greatly appreciated…

          • Dale Dille says:

            I tried to install the Security Update for SQL Server 2014 Service Pack 1 (KB3070446) and received error
            84B20002 – – has anyone else seen this? Google results are lackluster at best…

          • mjjf says:

            Thank you for the great post, it was very helpful!

            How did you determine the @@version ranges in the table above? Sorry if my question seems obvious, I am new to SQL Server. I only knew to look at the security bulletin's SQL Server versions, but they don't seem to match your table (found here: https://technet.microsoft.com/en-us/library/security/MS15-058#ID0EYIAC).

          • Aaron Bertrand says:

            Microsoft's version table only lists explicit build numbers that have been publicly released. I try to cover the entire inclusive range because some build numbers are released privately (or haven't been publicly disclosed yet). Hopefully, the next CU in each relevant branch will include these fixes, so that there is no need to cover future releases as well, but it is possible that a CU or COD is already in the works and will still need the security fix applied.

          • Chris Wood says:

            Pity that the next set of 2012 CU's didn't come out at the same time with the fix included.

            Chris

          • Jefferson Motta says:

            This update slow down the system.

          • Aaron Bertrand says:

            I'd be surprised if the update itself were the cause. If you cycled the SQL Server service or rebooted the server, it is much more likely that an immediate slowdown was caused by other factors, such as clearing the buffer pool and flushing the plan cache.

          • PowerDBAKlaas says:

            Thank you Aaron

            a very useful post on a very important problem.

          Leave A Comment

          Your email address will not be published.