The recent release of security fixes for SQL Server 2000 and 2005 (the issue did not impact SQL Server 2008) announced in MS09-004 seemed to spur two SQL Server 2005 cumulative updates (CUs) earlier this week — one for those on SP2, and one for those on SP3. (This typically happens when there is a new service pack released, as adoption rates are not always very fast, and the previous service pack is usually supported for some time.)
But as colleagues noted, the KB articles for the two releases may lead you to believe that there are fixes in CU12 that are not in CU2, and vice versa. And in fact this is true. So a few people have been wondering if they should upgrade to SP3 + CU2, or if doing so will leave them vulnerable to a fix that is only in SP2 + CU12 (or vice versa – a vintage Clash hit comes to mind). In case you were wondering which fixes you have depending on which "branch" you are on, here is the list I took from the two KB articles:
| SP2 CU # 12 (9.00.3315) |
SP3 CU # 2 (9.00.4211) |
|
|---|---|---|
| 960971 | no | yes |
| 960977 | no | yes |
| 961123 | yes | no |
| 961146 | no | yes |
| 961237 | yes | no |
| 961396 | yes | no |
| 961479 | yes | yes |
| 961648 | yes | yes |
| 961739 | yes | no |
| 961920 | no | yes |
| 961935 | no | yes |
| 962003 | no | yes |
| 962209 | yes | yes |
| 963684 | no | yes |
| 967164 | no | yes |
| 967169 | yes | no |
| 967180 | no | yes |
| 967192 | yes | no |
| 967316 | yes | no |
| 967527 | yes | no |
| 967570 | yes | no |
| 967618 | yes | no |
| 967625 | yes | no |
(FWIW, I tried to highlight the three rows where the fix is included in both CUs, but Community Server is having none of it. The software either butchers whatever attributes I try to add, or strips them entirely. Hopefully bold is enough, but if not, they are KB #s 961479, 961648, and 962209.)
A contact at Microsoft explained that a specific customer hotfix request for one version (e.g. SP2) may not get ported immediately to another service pack (or another version). The initial goal is to provide the fix for that customer's version, unless requests come in for more than one version. After that, the fix will make it into other relevant branches as time allows (in most cases they try to accomplish this by the next CU if they can't get in by the current cycle's deadline). This process makes sense, of course, I just don't think it's very visible. A lot of people assume that hotfixes that come out at the same time will contain the same set of fixes. That assumption makes sense too, and while it is surely the goal, it just can't always happen.
He also promised an authoritative list of fixes for the two CUs, and if it differs from the above, I will post an update here.
It looks like most of the ones missing from SP3 CU#2 have been added in SP3 CU#3 which has now been released.
http://support.microsoft.com/kb/967909/en-us
Sean
Hey Chris,
Still have not received an answer about MS09-004. I imagine it is in CU12 for SP2, since it is build 3310 while CU12 is build 3315. I agree though that the KB for the CU (962970) as well as the KBs for the security update (960089 and 960090) should be amended to reflect the fact that you can get the security fix with the CU or simply by upgrading to Service Pack 3. Though at this point I won't belabor the facts that I pounce on above; quite simply, no matter which path you choose (SP2 or SP3), you are going to forfeit half of the fixes in the latest round of CUs until they "catch up"…
As for SP2 builds going forward, yes I think it is safe to assume they will keep developing CUs for this branch as SP3 uptake crawls forward. I don't think they have much of a choice, in fact I am surprised they are not continuing to service SP1. Not sure that is an official product lifecycle timing thing, or just an "everybody should be past SP1 by now" thing.
Thanks for the info about SP2 and SP3 changes. I am going to assume that MS09-004 is included in CU12 for SP2 even though the documentation isn't specific about this. I am hoping that SP2 builds are going to be maintained as where I work isn't ready for SP3 or SQL2008 just yet.
Chris