Security updates for all supported versions of SQL Server

It's patch Tuesday!

[UPDATE June 19 : Please see my follow-up post about this security update.] 

Today Microsoft released a security bulletin covering several issues that could potentially affect SQL Server; these exploits include remote code execution, denial of service, information disclosure and elevation of privilege. You should test these patches on all machines running SQL Server, including those running only client tools (e.g. Management Studio or Management Studio Express). The updates affect the following versions of SQL Server:

  • SQL Server 2005 SP3
  • SQL Server 2005 SP4
  • SQL Server 2008 SP1
  • SQL Server 2008 SP2
  • SQL Server 2008 R2

So, depending on your SQL Server version (run SELECT @@VERSION;), here is what you should do:

If you are running… And your build number is… Your best course of action is probably to…
SQL Server 2005 Less than 9.0.4035 Upgrade to Service Pack 3 (9.0.4035) or Service Pack 4 (9.0.5000), then come back for the GDR
Exactly 9.0.4035 (SP3) Install the SP3 GDR (9.0.4060) from KB #2494113
Between 9.0.4036 and 9.0.4339 (a) Upgrade to Service Pack 4 (9.0.5000), then come back for the GDR
(b) Install the SP3 QFE (9.0.4340) from KB #2494112
Exactly 9.0.5000 (SP4) Install the SP4 GDR (9.0.5057) from KB #2494120
Greater than 9.0.5000 Install the SP4 QFE (9.0.5292) from KB #2494123
SQL Server 2008 Less than 10.0.2531 Upgrade to Service Pack 1 (10.0.2531) or Service Pack 2 (10.0.4000), then come back for the GDR
Exactly 10.0.2531 (SP1) Install the SP1 GDR (10.0.2573) from KB #2494096
Between 10.0.2532 and 10.0.2840 (a) Upgrade to Service Pack 2 (10.0.4000), then come back for the GDR
(b) Install the SP1 QFE (10.0.2841) from KB #2494100
Exactly 10.0.4000 (SP2) Install the SP2 GDR (10.0.4064) from KB #2494089
Greater than 10.0.4000 Install the SP2 QFE (10.0.4311) from KB #2494094
SQL Server 2008 R2 Exactly 10.50.1600 (RTM) Install the GDR (10.50.1617) from KB #2494088
Between 10.50.1601 and 10.50.1789 Install the QFE (10.50.1790) from KB #2494086
Greater than 10.50.1790
(e.g. 10.50.2418 or 10.50.2425)
Wait for the final release of Service Pack 1
Watch for cumulative update or updates to MS11-049
At this time there is no fix for the CTP of SQL Server 2008 R2 SP1

What is the difference between a GDR and a QFE? A GDR (general distribution release) is one that Microsoft support deems is necessary for all systems running SQL Server. A QFE (quick fix engineering) is one that does not affect everyone. Why are there two releases for this important fix? Well, one reason is that after a QFE is installed, it is no longer possible to install a GDR. So, if you have a system that has had previous cumulative updates or QFEs applied, the GDR might not work for you. If you have a system that is exactly at one of the levels described above, then the GDR is probably the better choice, because it will allow you to install either a GDR or a QFE in the future, whereas installing a QFE on such a system kind of paints you into a corner.

There is also a GDR available if you are running Management Studio Express 2005 (but none seem to be listed at this time for the 2008 or 2008 R2 versions):

As an aside, even if you are not running SQL Server, you should review the grander bulletin to see how else these issues may affect you… and be sure to register to tune in to tomorrow's webcast.


Aaron Bertrand

I am a passionate technologist with industry experience dating back to Classic ASP and SQL Server 6.5. I am a long-time Microsoft MVP, write at Simple Talk, SQLPerformance, and MSSQLTips, and have had the honor of speaking at more conferences than I can remember. In non-tech life, I am a father of two, a huge hockey and football fan, and my pronouns are he/him. If I've helped you out, consider thanking me with a coffee. :-)

34 Responses

  1. AaronBertrand says:

    @BryanJ None that I know of (and I can barely spell SSIS). I would say that if you are using SSIS from 2005, 2008 or 2008 R2, that you should install the final service pack and, if it will allow you, any subsequent CU/QFE. So for example, apply:
    SP4 + QFE
    SP4 + QFE
    2008 R2
    SP3 + QFE

  2. BryanJ says:

    Is there a Patch Matrix specificly for SSIS Versions?

  3. Richard says:

    Hi AaronBertrand,
    When I am trying to Install the Patch MS11-049 for my SS 28R2. It results to follow errors.
    I tried with both the KB articles (KB2494088) & (KB2494086)
    OS Name Microsoft® Windows Server® 2008 Enterprise
    Version 6.0.6002 Service Pack 2 Build 6002
    If u have any idea on this.. Pls help me.
    TITLE: Install a SQL Server 2008 R2 update
    There are validation errors on this page. Click OK to close this dialog box. Review errors at the bottom of the setup page, then provide valid parameters or click Help for more information.
    [Error Message]
    There are no SQL Server instances or shared features that can be updated on this computer.
    Thanks in advance,

  4. AaronBertrand says:

    Ryan, yes, I can only assume that SP3 has the GDR fix in it. However I haven't tested that (and obviously when I wrote this article June I had no way to know what would be in SP3) 🙂

  5. Ryan M. Lence says:

    Your script above.  Are you taking into account SP3 for sql server 2008 does that have the GDR fix in it?  

  6. Alfredo says:

    Hi Aaron, I support a financial institution database servers which are subjected to many audits, FFIEC, SOX for example. If MSFT put a security alert they will make sure it has been implemented. I may need to open a case with MSFT to determine whether this patch is included with CU 5.
    As always, I really appreciate your time and feedback! Great work.

  7. AaronBertrand says:

    Alfredo, sorry, I have no idea. I can only report on what I see in the KB articles. If the fix is not explicitly listed there, it might be because it is missing, it might be because the documentation is not perfect or hasn't yet been updated, or it might have intentionally been left off.
    Once again, unless you're really worried that someone with physical access to your servers is using .disco files and trying to extract information, which is about the only way SQL Server is exposed in this instance, I would just run with the latest CU and not spend a lot of effort trying to figure out whether you have this fix or not. I think they made a much bigger deal about it than it deserved, to be quite honest.

  8. Alfredo says:

    I noticed for SQL Server 2005 SP 4 CU3 the build is(9.0.5266) the  security patch build is 5292, therefore the security patch is not included with CU3. However, for SQL Server 2008 R1 CU 5 the build is (10.0.4316), however, the build for the security patch is 10.0.4311. I reviewed the fix list for 2008 CU 5 and did not find the security update.
    1. If the security patch is embedded within CU 5 is MSFT not making it public?
    2. Based off of the build numbers I am making an assumption that the security patch is contained within CU 5, correct?

  9. Alfredo says:

    Thanks again Aaron for your feedback and this article.

  10. AaronBertrand says:

    If you want the fixes from the CUs, probably best to install SP4, then CU3, then the security update. If you just want the security fix, install SP4 and then KB #2494120.

  11. Alfredo says:

    Aaron, I am a little confused. below is a list of CU's and the MS11-049 security patch. If I bring our 2005 instance to SP4 (5000) should we apply all the latest CU then the security patch or just SP4 and the security patch? If the latter will this contain all the CU fixes?
    9.00.5292 2494123  MS11-049: Description of the security update for SQL Server 2005 Service Pack 4 QFE
    9.00.5266 2507769  Cumulative Update 3 for SQL Server 2005 Service Pack 4
    9.00.5259 2489409  Cumulative Update 2 for SQL Server 2005 Service Pack 4
    9.00.5054 2463332 Cumulative Update 1 for SQL Server 2005 Service Pack 4
    9.00.5000 2463332 SQL Server 2005 Service Pack 4

  12. AaronBertrand says:

    I haven't heard about the non-yielding scheduler errors, and if the GDR did not update sqlservr.exe / @@VERSION then I'd suspect it did not install correctly.
    That said, unless you're using .disco files regularly, I'm not sure you need to get too worked up about making sure this security fix is installed everywhere. IMHO.

  13. Chuck Hottle says:

    I have another question.  We have instances that had already received the June fix to take them up to 9.0.4340.  I applied SP 4 this morning to take them to 9.0.5000 and then applied KB #2494120, but that did not update the build to 9.0.5057.  Do you know if this is to be expected because we had already applied the June fix?  
    We also found that the June fix caused an issue with Non-Yielding Scheduler errors.  I believe that a fix for the fix is now available.
    Thanks for any information that you can provide.

  14. AaronBertrand says:

    Chuck, it looks from the security bulletin that SQL Server 2000 is not affected:

  15. Chuck Hottle says:

    Does this apply to SQL Server 2000?  We still have a few instances and I didn;t see it listed.  Nice comprehensive table to use for reference.  Thanks.

  16. AaronBertrand says:

    You guys keep complaining that I have the incorrect download links, when in fact the destination of those MSFT URLs kept changing from under me (I had tested the links at publish time and somehow, magically, they kept becoming incorrect). So I've taken away the chance for that to happen by removing the download links.

  17. soder says:

    Exactly 10.0.4000 (SP2) –> Install the SP2 GDR (10.0.4064) from KB #2494089 : download
    the "download" URL points to a hotfix, which is NOT 2494089!! That should be fixed. (IL already reported this on June 21, 2011 4:52 AM)

  18. AaronBertrand says:

    I don't think it updates Analysis Services directly; I think it is listed as an affected product because it also ships with the affected client tools (e.g. XML viewer).

  19. JGB says:

    Does KB #2494089 not update the version of Analysis Services instances?  I've installed in our lab and the update states the AS instances are not eligible.  The article seems to indicate it is an affected product, but the update doesn't make any version changes to it.

  20. IL says:

    Aaron, I'm afraid there are two incorrect download links for SQL Server 2008 in the table:
    SP2 GDR (10.0.4064) from KB #2494089 : download
    SP2 QFE (10.0.4311) from KB #2494094 : download
    I click them and receive download page for unexpected KB.

  21. PeterPatrickGo says:

    I just saw news for the Cumulative update for SQL 2008. Really encouraging news for me.

  22. AaronBertrand says:

    Yes, that is the theory at least, if you install a QFE at 9.0.4340, that will include the QFEs (public only) that have a lower build number.
    Now, that is not 100% true with Service Packs, so I'm not sure if there are exceptions here. While it's difficult to cover every single path, they do have some work to do on communicating exactly what happens when you install this or that patch on top of this or that build number.

  23. AndreiT says:

    I'm currently running SP3 CU4 (9.00.4226). Does it mean that after installing this security update I'm also getting all the fixes from CU5 (9.00.4230)  to CU15 (9.00.4325)?

  24. AaronBertrand says:

    That update wasn't offered for me. But, I'm not running SQL Server 2005. <shrug>

  25. Jack Korber says:

    Yes, it was part of this Windows-Update package released this month (got it yesterday).  A bunch of updates for my Win 7 64 bit system.  Just did the normal important update stuff, shut down PC, restarted and after a moment that particular update was "offered" again.  I checked history, it said it had installed successfully.  So, I just shut it down again, restarted, etc, three more times.  Today, it is still 'offered" as an important update so I just hid it.  I figure if it develops as an issue there will be a fix in the future.
    No prior issues that I recall w/ win update (which is all I use to update).  

  26. AaronBertrand says:

    FWIW, I installed 2494086 on Windows 7 x64. The update was not yet offered to me via Windows Update.

  27. AaronBertrand says:

    Sorry Jack, not sure. What operating system? Have you had issues with Windows Update before? I assume you're talking about a Windows Update prompt, right?

  28. Jack Korber says:

    I have installed successfully KB2494113, restarted and been confronted with the same important 4 times now.  Any ideas on how to stop this repeat of the same update?

  29. IL says:

    Thanks for the CTE script! Batch of links to updates:
    It is easy to master links for ia64 or 2005 other than ENU replacing substrings in filename where appropriate.

  30. Chris Wood says:

    What most of us are now looking for, at least I am, is the list of fixes in these builds from the previously publically released CU's and SP's. When a new CU or SP comes out the Release Services blog will announce it and point to the list of fixes. As someone who is still running SQL2005 and starting to upgrade to SP4 it is important to know what else changed between CU3 build 5266 and the fix build 5292.
    I was hoping for details on either of the Release Services blog and/or the CSS blog.

  31. AaronBertrand says:

    Thanks Anders, sloppy on my part. Corrected.

  32. Anders Corlin says:

    The download link for "SQL Server 2008 R2" incorrectly brings up "SQL Server 2008". The right one should be:
    10.50.1600 – KB2494088 –

  33. Neil Hambly says:

    Here is a quick Script to perform the above matrix
    Hope it helps
    ;With CTE_SQLEditions([Major],[Minor],[Build],[BuildMinor])
     parsename(convert(varchar,serverproperty ('productversion')),4) As Major,
     parsename(convert(varchar,serverproperty ('productversion')),3) As Minor,
     parsename(convert(varchar,serverproperty ('productversion')),2) As Build,
     parsename(convert(varchar,serverproperty ('productversion')),1) As Buildminor
    Select *
    WHEN Major = 9 — SQL 2005
    WHEN Build < 4035 THEN 'Upgrade to Service Pack 3 (9.0.4035) or Service Pack 4 (9.0.5000), then come back for the GDR'
    WHEN Build = 4035 THEN 'Install the SP3 GDR (9.0.4060) from KB #2494113'
    WHEN Build > 4035 and Build <= 4339  
    THEN '(a) Upgrade to Service Pack 4 (9.0.5000), then come back for the GDR  OR  (b) Install the SP3 QFE (9.0.4340) from KB #2494112'
    WHEN Build = 5000 THEN 'Install the SP4 GDR (9.0.5057) from KB #2494120'
    WHEN Build > 5000 THEN 'Install the SP4 QFE (9.0.5292) from KB #2494123 '
    WHEN Major = 10 And Minor = 0   — SQL 2008
    WHEN Build < 2531 THEN 'Upgrade to Service Pack 1 (10.0.2531) or Service Pack 2 (10.0.4000), then come back for the GDR'
    WHEN Build = 2531 THEN 'Install the SP1 GDR (10.0.2573) from KB #2494096'
    WHEN Build > 2531 and Build <= 2840  THEN '(a) Upgrade to Service Pack 2 (10.0.4000), then come back for the GDR  OR (b) Install the SP1 QFE (10.0.2841) from KB #2494100'
    WHEN Build = 4000 THEN 'Install the SP2 GDR (10.0.4064) from KB #2494089'
    WHEN Build > 4000 THEN 'Install the SP2 QFE (10.0.4311) from KB #2494094'
    WHEN Major = 10 And Minor = 50 — SQL 2008 R2
    WHEN Build = 1600 THEN 'Install the GDR (10.50.1617) from KB #2494088'
    WHEN Build > 1600 and Build <= 1789 THEN 'Install the QFE (10.50.1790) from KB #2494086'
    WHEN Build > 1789 THEN 'Wait for the final release of Service Pack 1, Watch for cumulative update or updates to MS11-049, At this time there is no fix for the CTP of SQL Server 2008 R2 SP1'
    FROM CTE_SQLEditions