SQLBlog.org

archives disclaimers
archives shortcuts bad habits
disclaimers
SQLBlog Home
bad habits
shortcuts
MERGE NOLOCK dates dynamic SQL
splitting SQL Server 2022 how to ask

MS12-070 : Security Updates for all supported versions of SQL Server

Aaron Bertrand SQL Server 11

This week there was a security release for all supported versions of SQL Server. Each version has 32-bit and 64-bit patches, and each version has GDR (General Distribution Release) and QFE (Quick-Fix Engineering) patches. GDR should be applied if you are at the base (RTM or SP) build for your version, while QFE should be applied if you have installed any cumulative updates after the RTM or SP build. (More details here.)

SQL Server 2005

  • RTM, SP1, SP2, SP3 – not supported 
  • SP4 – GDR = 9.00.5069, QFE = 9.00.5324 

SQL Server 2008

  • RTM, SP1 – not supported 
  • SP2 – GDR = 10.00.4067, QFE = 10.00.4371
  • SP3 – GDR = 10.00.5512, QFE = 10.00.5826

SQL Server 2008 R2

  • RTM – not supported
  • SP1 – GDR = 10.50.2550, QFE = 10.50.2861
  • SP2 – not affected 

SQL Server 2012

  • RTM: GDR = 11.00.2218, QFE = 11.00.2376 
  • SP1 – not yet supported; should not be affected once SP1 is released.

Now, a couple of oddities you might have noticed:

  1. The security bulletin mentions something about SQL Server instances with Reporting Services installed. Yet the KB articles for individual updates state that all instances of SQL Server are eligible for the update. And the update does, in fact, update sqlservr.exe and @@VERSION, even for systems where SSRS is not installed. So until there is some clarification on this point, I'm going to treat this as a patch for all instances.
     
  2. Both the GDR and QFE KBs for multiple patches state that the preceding cumulative updates are included. I believe this is a copy & paste error and that the cumulative updates for a specific branch are only included with the QFE patch. I will update here if I get any confirmation on this.
Even if they come back and say, whoops, our bad, the KBs should mention it is SSRS only, and the GDRs do not affect sqlservr.exe and do not include the CU updates, I'm still going to apply the patch everywhere. Why? Well, for consistency, I'd rather have all of my instances at @@VERSION = x, than have the SSRS instances at x and the non-SSRS instances at < x.
 

Aaron Bertrand

I am a passionate technologist with industry experience dating back to Classic ASP and SQL Server 6.5. I am a long-time Microsoft MVP, write at SQLPerformance and MSSQLTips, and have had the honor of speaking at more conferences than I can remember. In non-tech life, I am a father of two, a huge hockey and football fan, and my pronouns are he/him.

11 Responses

  1. tom says:
    August 26, 2014 at 2:36 PM

    we are scheduling an upgrade of Reporting Services servers to SP3, 10.00.5512 [Microsoft SQL Server 2008 (SP3) MS12-070 from 10.00.2531 [Microsoft SQL Server 2008 (SP1).  will we need to reboot the server after the upgrade?

  2. Selami Ozlu says:
    May 28, 2014 at 11:30 PM

    Microsoft released new cumulative updates for SQL Server

  3. Galib Jamal says:
    February 22, 2013 at 11:53 AM

    @ Simon
    Workaround in case reporting /integration services does not start after patch deployment
    Modify registry
    Regedit Browse
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    add registry DWORD Value ServicesPipeTimeout
    Modify it with Decimal value 60000
    Restart server to have changes to take effect.
    Reporting and intgration serivices started

  4. Simon Seow says:
    November 6, 2012 at 5:12 AM

    Some of the SQL 2005 servers' reporting service and integration service in my company could not start after applying GDR 5069. I need to uninstall the update and reboot server and the reporting and integration services will be up again.

  5. Chris Wood says:
    October 11, 2012 at 6:02 PM

    Hopefully Microsoft will either make a statement or change the KB's. As my site runs QFE CU's we really need to know what we are getting if we apply the update especially on our remaining SQL2005 servers.
    Chris

  6. Steven White says:
    October 11, 2012 at 6:00 PM

    I agree about the fix sending mixed messages.
    The GDR should be the fix only (as every previous GDR patch has been as far as I remember) and this breaks with that norm.

  7. Aaron Bertrand says:
    October 11, 2012 at 2:33 PM

    Steven, the GDR fixes should *not* contain any of the CU updates. That's kind of the point of them (notice the much lower build number) and the only difference from QFE. So there is some very mixed messaging going on – either the security bulletin should not say it's SSRS only, or the individual KBs should. And if a patch for SSRS also requires patching for the binaries, wouldn't it make sense to install the patch and get the binaries up to date, even if you're not running SSRS now (but might in the future)? Or to keep your non-SSRS instances consistent with the patched instances?

  8. Chris Nelson says:
    October 11, 2012 at 1:33 PM

    October 9th was Patch Tuesday, I don't think any of these SQL Server Updates appear in Microsoft Update yet, at least on my developer workstation, none do. 🙁

  9. Steven White says:
    October 11, 2012 at 11:05 AM

    The KB's do say that the security update contains all the updates which are included in CU 'x' to 'xx' which would explain the additional files e.g. sqlservr.exe

  10. AaronBertrand says:
    October 11, 2012 at 5:53 AM

    @Yalcin I don't think that's necessarily true. The QFE updates include CU fixes, increment @@VERSION and touch sqlservr.exe, even for instances without SSRS installed. Also the KB articles don't mention anything about SSRS, only the security bulletin mentions that. Until I hear otherwise I am treating this as an "all instances" patch with the same type of priority as a cumulative update.

  11. Yalcin Gulas says:
    October 10, 2012 at 11:49 PM

    Hi aaron
    Did you read The bulletin briefly I think updates are only for instances that have reporting services installation