August 12, 2014 | SQL Server, SQL Server 2012

Security Updates Available for SQL Server 2008, 2008 R2, 2012, 2014

If you are running 2008 SP3, 2008 R2 SP2, 2012 SP1 (SP2 is not affected, RTM is no longer supported), or 2014, you'll want to check out Security Bulletin MS14-044 for details on a denial of service / privilege escalation issue that has been patched:

For SQL Server 2012 and SQL Server 2014, I've blogged about recent builds and recommendations here:

MOST IMPORTANTLY: Beware that this security update may cause an issue with replication on SQL Server 2012 SP1, as reported by multiple people. If you are on 2012 SP1 and using replication, please don't install this fix until Connect #950118 has been addressed.

14 comments on this post

    • required - August 12, 2014, 10:57 PM

      What about the upcoming Service Packs for SQL Server 2008 and 2008 R2?

    • AaronBertrand - August 12, 2014, 11:04 PM

      @required sorry, I have no news about that.

    • Augustinius - August 15, 2014, 5:09 PM

      If you are at SQL Server 2012 SP2 do you have the patch, or are you vulnerable?

    • AaronBertrand - August 15, 2014, 5:14 PM

      @Augustinius, SP2 is not affected, you do not need to worry about it.

    • Mli - August 20, 2014, 9:32 PM

      I was checking MS14-044 and see there is QFE and GDR, my version is 10.50.4000.0 (sql 2008 r2 sp2) so i think it is GDR, is that right?

    • Mli - August 20, 2014, 9:32 PM

      I was checking MS14-044 and see there is QFE and GDR, my version is 10.50.4000.0 (sql 2008 r2 sp2) so i think it is GDR, is that right?

    • AaronBertrand - August 20, 2014, 10:02 PM

      @Mli I would probably install the QFE anyway, since you get all of the cumulative update fixes instead of just this fix. But yes, strictly speaking, you should install the GDR version.

    • Chris Wood - August 28, 2014, 5:03 PM

      So the SQL2012 SP1 fix is now out as build 3467 which also mentioned this was fixed in SP2 CU1. Also implies it was fixed in SP1 CU11 which does not make sense.

    • AaronBertrand - August 28, 2014, 5:20 PM

      Hi Chris,
      *sigh* I have sent off a really long nasty-gram about how utterly crappy this series of issues / fixes have been handled. I hope they will revise the KB article to make sense (3467 should probably not have been offered in this KB's downloads).

    • Chris Wood - August 28, 2014, 5:24 PM

      Looking more closely at KB2975402 indicates that it was fixed in SP1 CU11 build 3449, messed up in the MS14-044 build 3460 so that's why they show the builds that they do.
      Also fixed in 2014 CU3.

    • AaronBertrand - August 28, 2014, 6:37 PM

      It's pretty sloppy and not explained very well anywhere, especially on the page where you have to pick which fix you want to download. For many it will be pretty logical to pick the filename with the highest build number referenced, but for the rest it will be extremely confusing. I don't envy the story they have to tell but I think they need to tell it better.

    • eric - September 5, 2014, 10:23 PM

      when i tried to install QFE KB2977319 for SQL 2008R2 Sp2. it failed due to the following error(error status: 1642.)
      PATCH SEQUENCER: QFE patch C:\…1033_ENU_LP\x64\setup\x64\SqlWriter.msp is not applicable.
      Unknown\Absent: {E01F9CFD-F500-45A4-9060-9AC19D709720} – C:\…\1033_ENU_LP\x64\setup\x64\SqlWriter.msp
      MSI (s) (D4:04) [12:02:09:241]: Product: Microsoft SQL Server VSS Writer – Update '{………}' could not be installed. Error code 1642. Additional information is available in the log file C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\20140905_115819\SqlWriter_Cpu64_1.log.
      Any ideas?

    • AaronBertrand - September 5, 2014, 10:26 PM

      Sorry Eric, can't really troubleshoot setup issues like that remotely. Did you look for more information in the detailed log the error message pointed to?

    • Eric - September 5, 2014, 10:45 PM

      Thanks for reply. Yes, if you can point me to somewhere. Very less info can be found via google.

Comments are closed.