It's patch Tuesday!
[UPDATE June 19 : Please see my follow-up post about this security update.]
Today Microsoft released a security bulletin covering several issues that could potentially affect SQL Server; these exploits include remote code execution, denial of service, information disclosure and elevation of privilege. You should test these patches on all machines running SQL Server, including those running only client tools (e.g. Management Studio or Management Studio Express). The updates affect the following versions of SQL Server:
So, depending on your SQL Server version (run SELECT @@VERSION;), here is what you should do:
If you are running… And your build number is… Your best course of action is probably to… SQL Server 2005 Less than 9.0.4035 Upgrade to Service Pack 3 (9.0.4035) or Service Pack 4 (9.0.5000), then come back for the GDR Exactly 9.0.4035 (SP3) Install the SP3 GDR (9.0.4060) from KB #2494113 Between 9.0.4036 and 9.0.4339 (a) Upgrade to Service Pack 4 (9.0.5000), then come back for the GDR
(b) Install the SP3 QFE (9.0.4340) from KB #2494112
Exactly 9.0.5000 (SP4) Install the SP4 GDR (9.0.5057) from KB #2494120 Greater than 9.0.5000 Install the SP4 QFE (9.0.5292) from KB #2494123 SQL Server 2008 Less than 10.0.2531 Upgrade to Service Pack 1 (10.0.2531) or Service Pack 2 (10.0.4000), then come back for the GDR Exactly 10.0.2531 (SP1) Install the SP1 GDR (10.0.2573) from KB #2494096 Between 10.0.2532 and 10.0.2840 (a) Upgrade to Service Pack 2 (10.0.4000), then come back for the GDR
(b) Install the SP1 QFE (10.0.2841) from KB #2494100
Exactly 10.0.4000 (SP2) Install the SP2 GDR (10.0.4064) from KB #2494089 Greater than 10.0.4000 Install the SP2 QFE (10.0.4311) from KB #2494094 SQL Server 2008 R2 Exactly 10.50.1600 (RTM) Install the GDR (10.50.1617) from KB #2494088 Between 10.50.1601 and 10.50.1789 Install the QFE (10.50.1790) from KB #2494086 Greater than 10.50.1790
(e.g. 10.50.2418 or 10.50.2425)
Wait for the final release of Service Pack 1
Watch for cumulative update or updates to MS11-049
At this time there is no fix for the CTP of SQL Server 2008 R2 SP1
What is the difference between a GDR and a QFE? A GDR (general distribution release) is one that Microsoft support deems is necessary for all systems running SQL Server. A QFE (quick fix engineering) is one that does not affect everyone. Why are there two releases for this important fix? Well, one reason is that after a QFE is installed, it is no longer possible to install a GDR. So, if you have a system that has had previous cumulative updates or QFEs applied, the GDR might not work for you. If you have a system that is exactly at one of the levels described above, then the GDR is probably the better choice, because it will allow you to install either a GDR or a QFE in the future, whereas installing a QFE on such a system kind of paints you into a corner.
There is also a GDR available if you are running Management Studio Express 2005 (but none seem to be listed at this time for the 2008 or 2008 R2 versions):