Security Updates Available for SQL Server 2008, 2008 R2, 2012, 2014

If you are running 2008 SP3, 2008 R2 SP2, 2012 SP1 (SP2 is not affected, RTM is no longer supported), or 2014, you'll want to check out Security Bulletin MS14-044 for details on a denial of service / privilege escalation issue that has been patched:

For SQL Server 2012 and SQL Server 2014, I've blogged about recent builds and recommendations here:

MOST IMPORTANTLY: Beware that this security update may cause an issue with replication on SQL Server 2012 SP1, as reported by multiple people. If you are on 2012 SP1 and using replication, please don't install this fix until Connect #950118 has been addressed.

Aaron Bertrand

I am a passionate technologist with industry experience dating back to Classic ASP and SQL Server 6.5. I am a long-time Microsoft MVP, write at SQLPerformance and MSSQLTips, and have had the honor of speaking at more conferences than I can remember. In non-tech life, I am a father of two, a huge hockey and football fan, and my pronouns are he/him. If I've helped you out, consider thanking me with a coffee. :-)

14 Responses

  1. Eric says:

    Thanks for reply. Yes, if you can point me to somewhere. Very less info can be found via google.

  2. AaronBertrand says:

    Sorry Eric, can't really troubleshoot setup issues like that remotely. Did you look for more information in the detailed log the error message pointed to?

  3. eric says:

    when i tried to install QFE KB2977319 for SQL 2008R2 Sp2. it failed due to the following error(error status: 1642.)
    PATCH SEQUENCER: QFE patch C:\…1033_ENU_LP\x64\setup\x64\SqlWriter.msp is not applicable.
    Unknown\Absent: {E01F9CFD-F500-45A4-9060-9AC19D709720} – C:\…\1033_ENU_LP\x64\setup\x64\SqlWriter.msp
    MSI (s) (D4:04) [12:02:09:241]: Product: Microsoft SQL Server VSS Writer – Update '{………}' could not be installed. Error code 1642. Additional information is available in the log file C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\20140905_115819\SqlWriter_Cpu64_1.log.
    Any ideas?

  4. AaronBertrand says:

    It's pretty sloppy and not explained very well anywhere, especially on the page where you have to pick which fix you want to download. For many it will be pretty logical to pick the filename with the highest build number referenced, but for the rest it will be extremely confusing. I don't envy the story they have to tell but I think they need to tell it better.

  5. Chris Wood says:

    Looking more closely at KB2975402 indicates that it was fixed in SP1 CU11 build 3449, messed up in the MS14-044 build 3460 so that's why they show the builds that they do.
    Also fixed in 2014 CU3.

  6. AaronBertrand says:

    Hi Chris,
    *sigh* I have sent off a really long nasty-gram about how utterly crappy this series of issues / fixes have been handled. I hope they will revise the KB article to make sense (3467 should probably not have been offered in this KB's downloads).

  7. Chris Wood says:

    So the SQL2012 SP1 fix is now out as build 3467 which also mentioned this was fixed in SP2 CU1. Also implies it was fixed in SP1 CU11 which does not make sense.

  8. AaronBertrand says:

    @Mli I would probably install the QFE anyway, since you get all of the cumulative update fixes instead of just this fix. But yes, strictly speaking, you should install the GDR version.

  9. Mli says:

    I was checking MS14-044 and see there is QFE and GDR, my version is 10.50.4000.0 (sql 2008 r2 sp2) so i think it is GDR, is that right?

  10. Mli says:

    I was checking MS14-044 and see there is QFE and GDR, my version is 10.50.4000.0 (sql 2008 r2 sp2) so i think it is GDR, is that right?

  11. AaronBertrand says:

    @Augustinius, SP2 is not affected, you do not need to worry about it.

  12. Augustinius says:

    If you are at SQL Server 2012 SP2 do you have the patch, or are you vulnerable?

  13. AaronBertrand says:

    @required sorry, I have no news about that.

  14. required says:

    What about the upcoming Service Packs for SQL Server 2008 and 2008 R2?