Security updates for all supported versions of SQL Server
It's patch Tuesday!
[UPDATE June 19 : Please see my follow-up post about this security update.]
Today Microsoft released a security bulletin covering several issues that could potentially affect SQL Server; these exploits include remote code execution, denial of service, information disclosure and elevation of privilege. You should test these patches on all machines running SQL Server, including those running only client tools (e.g. Management Studio or Management Studio Express). The updates affect the following versions of SQL Server:
- SQL Server 2005 SP3
- SQL Server 2005 SP4
- SQL Server 2008 SP1
- SQL Server 2008 SP2
- SQL Server 2008 R2
So, depending on your SQL Server version (run SELECT @@VERSION;), here is what you should do:
If you are running… And your build number is… Your best course of action is probably to… SQL Server 2005 Less than 9.0.4035 Upgrade to Service Pack 3 (9.0.4035) or Service Pack 4 (9.0.5000), then come back for the GDR Exactly 9.0.4035 (SP3) Install the SP3 GDR (9.0.4060) from KB #2494113 Between 9.0.4036 and 9.0.4339 (a) Upgrade to Service Pack 4 (9.0.5000), then come back for the GDR
OR
(b) Install the SP3 QFE (9.0.4340) from KB #2494112Exactly 9.0.5000 (SP4) Install the SP4 GDR (9.0.5057) from KB #2494120 Greater than 9.0.5000 Install the SP4 QFE (9.0.5292) from KB #2494123 SQL Server 2008 Less than 10.0.2531 Upgrade to Service Pack 1 (10.0.2531) or Service Pack 2 (10.0.4000), then come back for the GDR Exactly 10.0.2531 (SP1) Install the SP1 GDR (10.0.2573) from KB #2494096 Between 10.0.2532 and 10.0.2840 (a) Upgrade to Service Pack 2 (10.0.4000), then come back for the GDR
OR
(b) Install the SP1 QFE (10.0.2841) from KB #2494100Exactly 10.0.4000 (SP2) Install the SP2 GDR (10.0.4064) from KB #2494089 Greater than 10.0.4000 Install the SP2 QFE (10.0.4311) from KB #2494094 SQL Server 2008 R2 Exactly 10.50.1600 (RTM) Install the GDR (10.50.1617) from KB #2494088 Between 10.50.1601 and 10.50.1789 Install the QFE (10.50.1790) from KB #2494086 Greater than 10.50.1790
(e.g. 10.50.2418 or 10.50.2425)Wait for the final release of Service Pack 1
Watch for cumulative update or updates to MS11-049
At this time there is no fix for the CTP of SQL Server 2008 R2 SP1
What is the difference between a GDR and a QFE? A GDR (general distribution release) is one that Microsoft support deems is necessary for all systems running SQL Server. A QFE (quick fix engineering) is one that does not affect everyone. Why are there two releases for this important fix? Well, one reason is that after a QFE is installed, it is no longer possible to install a GDR. So, if you have a system that has had previous cumulative updates or QFEs applied, the GDR might not work for you. If you have a system that is exactly at one of the levels described above, then the GDR is probably the better choice, because it will allow you to install either a GDR or a QFE in the future, whereas installing a QFE on such a system kind of paints you into a corner.
There is also a GDR available if you are running Management Studio Express 2005 (but none seem to be listed at this time for the 2008 or 2008 R2 versions):
As an aside, even if you are not running SQL Server, you should review the grander bulletin to see how else these issues may affect you… and be sure to register to tune in to tomorrow's webcast.
@BryanJ None that I know of (and I can barely spell SSIS). I would say that if you are using SSIS from 2005, 2008 or 2008 R2, that you should install the final service pack and, if it will allow you, any subsequent CU/QFE. So for example, apply:
2005
SP4 http://www.microsoft.com/en-us/download/details.aspx?id=7218 + QFE http://support.microsoft.com/kb/2494123
2008
SP4 http://www.microsoft.com/en-us/download/details.aspx?id=44278 + QFE http://support.microsoft.com/kb/3045308
2008 R2
SP3 https://www.microsoft.com/en-us/download/details.aspx?id=44271 + QFE http://support.microsoft.com/kb/3045314
Is there a Patch Matrix specificly for SSIS Versions?
Hi AaronBertrand,
When I am trying to Install the Patch MS11-049 for my SS 28R2. It results to follow errors.
I tried with both the KB articles (KB2494088) & (KB2494086)
OS Name Microsoft® Windows Server® 2008 Enterprise
Version 6.0.6002 Service Pack 2 Build 6002
If u have any idea on this.. Pls help me.
TITLE: Install a SQL Server 2008 R2 update
——————————
There are validation errors on this page. Click OK to close this dialog box. Review errors at the bottom of the setup page, then provide valid parameters or click Help for more information.
——————————
BUTTONS:
OK
——————————
[Error Message]
There are no SQL Server instances or shared features that can be updated on this computer.
Thanks in advance,
Richard
Ryan, yes, I can only assume that SP3 has the GDR fix in it. However I haven't tested that (and obviously when I wrote this article June I had no way to know what would be in SP3) 🙂
Your script above. Are you taking into account SP3 for sql server 2008 does that have the GDR fix in it?
Hi Aaron, I support a financial institution database servers which are subjected to many audits, FFIEC, SOX for example. If MSFT put a security alert they will make sure it has been implemented. I may need to open a case with MSFT to determine whether this patch is included with CU 5.
As always, I really appreciate your time and feedback! Great work.
Alfredo, sorry, I have no idea. I can only report on what I see in the KB articles. If the fix is not explicitly listed there, it might be because it is missing, it might be because the documentation is not perfect or hasn't yet been updated, or it might have intentionally been left off.
Once again, unless you're really worried that someone with physical access to your servers is using .disco files and trying to extract information, which is about the only way SQL Server is exposed in this instance, I would just run with the latest CU and not spend a lot of effort trying to figure out whether you have this fix or not. I think they made a much bigger deal about it than it deserved, to be quite honest.
Aaron,
I noticed for SQL Server 2005 SP 4 CU3 the build is(9.0.5266) the security patch build is 5292, therefore the security patch is not included with CU3. However, for SQL Server 2008 R1 CU 5 the build is (10.0.4316), however, the build for the security patch is 10.0.4311. I reviewed the fix list for 2008 CU 5 and did not find the security update.
1. If the security patch is embedded within CU 5 is MSFT not making it public?
2. Based off of the build numbers I am making an assumption that the security patch is contained within CU 5, correct?
Thanks again Aaron for your feedback and this article.
If you want the fixes from the CUs, probably best to install SP4, then CU3, then the security update. If you just want the security fix, install SP4 and then KB #2494120.
Aaron, I am a little confused. below is a list of CU's and the MS11-049 security patch. If I bring our 2005 instance to SP4 (5000) should we apply all the latest CU then the security patch or just SP4 and the security patch? If the latter will this contain all the CU fixes?
9.00.5292 2494123 http://support.microsoft.com/kb/2494123 MS11-049: Description of the security update for SQL Server 2005 Service Pack 4 QFE
9.00.5266 2507769 http://support.microsoft.com/kb/2507769/ Cumulative Update 3 for SQL Server 2005 Service Pack 4
9.00.5259 2489409 http://support.microsoft.com/kb/2489409 Cumulative Update 2 for SQL Server 2005 Service Pack 4
9.00.5054 2463332 http://support.microsoft.com/kb/2464079 Cumulative Update 1 for SQL Server 2005 Service Pack 4
9.00.5000 2463332 http://support.microsoft.com/kb/2463332 SQL Server 2005 Service Pack 4
I haven't heard about the non-yielding scheduler errors, and if the GDR did not update sqlservr.exe / @@VERSION then I'd suspect it did not install correctly.
That said, unless you're using .disco files regularly, I'm not sure you need to get too worked up about making sure this security fix is installed everywhere. IMHO.
I have another question. We have instances that had already received the June fix to take them up to 9.0.4340. I applied SP 4 this morning to take them to 9.0.5000 and then applied KB #2494120, but that did not update the build to 9.0.5057. Do you know if this is to be expected because we had already applied the June fix?
We also found that the June fix caused an issue with Non-Yielding Scheduler errors. I believe that a fix for the fix is now available.
Thanks for any information that you can provide.
Chuck, it looks from the security bulletin that SQL Server 2000 is not affected:
http://www.microsoft.com/technet/security/Bulletin/MS11-049.mspx
Does this apply to SQL Server 2000? We still have a few instances and I didn;t see it listed. Nice comprehensive table to use for reference. Thanks.
You guys keep complaining that I have the incorrect download links, when in fact the destination of those MSFT URLs kept changing from under me (I had tested the links at publish time and somehow, magically, they kept becoming incorrect). So I've taken away the chance for that to happen by removing the download links.
Exactly 10.0.4000 (SP2) –> Install the SP2 GDR (10.0.4064) from KB #2494089 : download
the "download" URL points to a hotfix, which is NOT 2494089!! That should be fixed. (IL already reported this on June 21, 2011 4:52 AM)
I don't think it updates Analysis Services directly; I think it is listed as an affected product because it also ships with the affected client tools (e.g. XML viewer).
Does KB #2494089 not update the version of Analysis Services instances? I've installed in our lab and the update states the AS instances are not eligible. The article seems to indicate it is an affected product, but the update doesn't make any version changes to it.
Aaron, I'm afraid there are two incorrect download links for SQL Server 2008 in the table:
SP2 GDR (10.0.4064) from KB #2494089 : download
SP2 QFE (10.0.4311) from KB #2494094 : download
I click them and receive download page for unexpected KB.
I just saw news for the Cumulative update for SQL 2008. Really encouraging news for me.
Aaron please correct download link for SP2 GDR (10.0.4064) KB2494089 to http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26313 Now it is the same as for SP1 QFE (10.0.2841) KB2494100.
Direct links for KB2494089 would be
http://download.microsoft.com/download/D/5/A/D5A5A730-14EA-42FB-A4D7-8CEECF953B31/SQLServer2008-KB2494089-x64.exe
http://download.microsoft.com/download/D/5/A/D5A5A730-14EA-42FB-A4D7-8CEECF953B31/SQLServer2008-KB2494089-x86.exe
Thank you.
Yes, that is the theory at least, if you install a QFE at 9.0.4340, that will include the QFEs (public only) that have a lower build number.
Now, that is not 100% true with Service Packs, so I'm not sure if there are exceptions here. While it's difficult to cover every single path, they do have some work to do on communicating exactly what happens when you install this or that patch on top of this or that build number.
I'm currently running SP3 CU4 (9.00.4226). Does it mean that after installing this security update I'm also getting all the fixes from CU5 (9.00.4230) to CU15 (9.00.4325)?
That update wasn't offered for me. But, I'm not running SQL Server 2005. <shrug>
Yes, it was part of this Windows-Update package released this month (got it yesterday). A bunch of updates for my Win 7 64 bit system. Just did the normal important update stuff, shut down PC, restarted and after a moment that particular update was "offered" again. I checked history, it said it had installed successfully. So, I just shut it down again, restarted, etc, three more times. Today, it is still 'offered" as an important update so I just hid it. I figure if it develops as an issue there will be a fix in the future.
No prior issues that I recall w/ win update (which is all I use to update).
FWIW, I installed 2494086 on Windows 7 x64. The update was not yet offered to me via Windows Update.
Sorry Jack, not sure. What operating system? Have you had issues with Windows Update before? I assume you're talking about a Windows Update prompt, right?
I have installed successfully KB2494113, restarted and been confronted with the same important 4 times now. Any ideas on how to stop this repeat of the same update?
Thanks for the CTE script! Batch of links to updates:
http://download.microsoft.com/download/3/8/3/3834FB61-76A7-4F73-97BF-626D4E4FE0A4/SQLServer2005-KB2494113-x64-ENU.exe
http://download.microsoft.com/download/3/8/3/3834FB61-76A7-4F73-97BF-626D4E4FE0A4/SQLServer2005-KB2494113-x86-ENU.exe
http://download.microsoft.com/download/D/F/9/DF960A12-26BC-464C-A5E9-FA616493B3CE/SQLServer2005-KB2494112-x64-ENU.exe
http://download.microsoft.com/download/D/F/9/DF960A12-26BC-464C-A5E9-FA616493B3CE/SQLServer2005-KB2494112-x86-ENU.exe
http://download.microsoft.com/download/6/4/7/6474C3DF-2673-4C98-85CB-8C8416BE5944/SQLServer2005-KB2494120-x64-ENU.exe
http://download.microsoft.com/download/6/4/7/6474C3DF-2673-4C98-85CB-8C8416BE5944/SQLServer2005-KB2494120-x86-ENU.exe
http://download.microsoft.com/download/D/2/6/D26A8E43-011B-4F00-99B3-CD64ACBAB769/SQLServer2005-KB2494123-x64-ENU.exe
http://download.microsoft.com/download/D/2/6/D26A8E43-011B-4F00-99B3-CD64ACBAB769/SQLServer2005-KB2494123-x86-ENU.exe
http://download.microsoft.com/download/6/9/9/699D717E-CB0A-4C07-949F-C56CE12217F8/SQLServer2008-KB2494096-x64.exe
http://download.microsoft.com/download/6/9/9/699D717E-CB0A-4C07-949F-C56CE12217F8/SQLServer2008-KB2494096-x86.exe
http://download.microsoft.com/download/D/A/9/DA91CC33-82ED-48D6-9BB9-F2EE4CE5846C/SQLServer2008-KB2494100-x64.exe
http://download.microsoft.com/download/D/A/9/DA91CC33-82ED-48D6-9BB9-F2EE4CE5846C/SQLServer2008-KB2494100-x86.exe
http://download.microsoft.com/download/6/0/7/6076A917-9377-4A3C-9FA8-20E3C3AA964E/SQLServer2008-KB2494094-x64.exe
http://download.microsoft.com/download/6/0/7/6076A917-9377-4A3C-9FA8-20E3C3AA964E/SQLServer2008-KB2494094-x86.exe
http://download.microsoft.com/download/3/E/7/3E7DF332-6D24-47B7-A4A1-B516541C85F6/SQLServer2008R2-KB2494086-x64.exe
http://download.microsoft.com/download/3/E/7/3E7DF332-6D24-47B7-A4A1-B516541C85F6/SQLServer2008R2-KB2494086-x86.exe
http://download.microsoft.com/download/6/E/A/6EA716DA-5034-41C1-AE5F-BFF8EB066F9F/SSMSEE-KB2546869-x64.exe
http://download.microsoft.com/download/6/E/A/6EA716DA-5034-41C1-AE5F-BFF8EB066F9F/SSMSEE-KB2546869-x86.exe
It is easy to master links for ia64 or 2005 other than ENU replacing substrings in filename where appropriate.
What most of us are now looking for, at least I am, is the list of fixes in these builds from the previously publically released CU's and SP's. When a new CU or SP comes out the Release Services blog will announce it and point to the list of fixes. As someone who is still running SQL2005 and starting to upgrade to SP4 it is important to know what else changed between CU3 build 5266 and the fix build 5292.
I was hoping for details on either of the Release Services blog and/or the CSS blog.
Chris
Thanks Anders, sloppy on my part. Corrected.
The download link for "SQL Server 2008 R2" incorrectly brings up "SQL Server 2008". The right one should be:
10.50.1600 – KB2494088 – http://www.microsoft.com/download/en/details.aspx?id=26304
Here is a quick Script to perform the above matrix
Hope it helps
;With CTE_SQLEditions([Major],[Minor],[Build],[BuildMinor])
AS
(
select
parsename(convert(varchar,serverproperty ('productversion')),4) As Major,
parsename(convert(varchar,serverproperty ('productversion')),3) As Minor,
parsename(convert(varchar,serverproperty ('productversion')),2) As Build,
parsename(convert(varchar,serverproperty ('productversion')),1) As Buildminor
)
Select *
,CASE
WHEN Major = 9 — SQL 2005
THEN
CASE
WHEN Build < 4035 THEN 'Upgrade to Service Pack 3 (9.0.4035) or Service Pack 4 (9.0.5000), then come back for the GDR'
WHEN Build = 4035 THEN 'Install the SP3 GDR (9.0.4060) from KB #2494113'
WHEN Build > 4035 and Build <= 4339
THEN '(a) Upgrade to Service Pack 4 (9.0.5000), then come back for the GDR OR (b) Install the SP3 QFE (9.0.4340) from KB #2494112'
WHEN Build = 5000 THEN 'Install the SP4 GDR (9.0.5057) from KB #2494120'
WHEN Build > 5000 THEN 'Install the SP4 QFE (9.0.5292) from KB #2494123 '
END
WHEN Major = 10 And Minor = 0 — SQL 2008
THEN
CASE
WHEN Build < 2531 THEN 'Upgrade to Service Pack 1 (10.0.2531) or Service Pack 2 (10.0.4000), then come back for the GDR'
WHEN Build = 2531 THEN 'Install the SP1 GDR (10.0.2573) from KB #2494096'
WHEN Build > 2531 and Build <= 2840 THEN '(a) Upgrade to Service Pack 2 (10.0.4000), then come back for the GDR OR (b) Install the SP1 QFE (10.0.2841) from KB #2494100'
WHEN Build = 4000 THEN 'Install the SP2 GDR (10.0.4064) from KB #2494089'
WHEN Build > 4000 THEN 'Install the SP2 QFE (10.0.4311) from KB #2494094'
END
WHEN Major = 10 And Minor = 50 — SQL 2008 R2
THEN
CASE
WHEN Build = 1600 THEN 'Install the GDR (10.50.1617) from KB #2494088'
WHEN Build > 1600 and Build <= 1789 THEN 'Install the QFE (10.50.1790) from KB #2494086'
WHEN Build > 1789 THEN 'Wait for the final release of Service Pack 1, Watch for cumulative update or updates to MS11-049, At this time there is no fix for the CTP of SQL Server 2008 R2 SP1'
END
END
FROM CTE_SQLEditions