July 14, 2015 | SQL Server, SQL Server 2012

Vulnerability Affecting All Supported Versions of SQL Server

Well, it's that time again: Patch Tuesday. SQL Server hasn't had a security update since August, but today we're giving the hotfix download servers a run for their money. Both GDR and QFE fixes were released in Security Bulletin MS15-058, to address a vulnerability in remote code execution (for details on the exploit, see KB #3065718).

The long and short of it is, if you are running any of the following versions, you need to apply the patch:

  • SQL Server 2014 SP1 – unaffected, but there is a GDR for a wrong results bug
  • SQL Server 2014 RTM – affected
  • SQL Server 2012 SP2 – affected
  • SQL Server 2012 SP1 – affected
  • SQL Server 2012 RTM – likely affected but you need to move to SP1 or SP2 for the fix
  • SQL Server 2008 R2 SP3 – affected
  • SQL Server 2008 R2 SP2 – affected
  • SQL Server 2008 R2 SP1 – likely affected but you need to move to SP2 or SP3 for the fix
  • SQL Server 2008 R2 RTM – likely affected but you need to move to SP2 or SP3 for the fix
  • SQL Server 2008 SP4 – affected
  • SQL Server 2008 SP3 – affected
  • SQL Server 2008 SP2 – likely affected but you need to move to SP3 or SP4 for the fix
  • SQL Server 2008 SP1 – likely affected but you need to move to SP3 or SP4 for the fix
  • SQL Server 2008 RTM – likely affected but you need to move to SP3 or SP4 for the fix

If you want to determine which build you have, which patch you should apply, and whether you should take the GDR or QFE fix, I drew up a quick matrix over on our team blog:

Older versions are possibly affected, but a fix won't be made available through general public channels.

12 comments on this post

    • Svetlana Golovko - July 19, 2015, 8:43 PM

      Thanks Aaron for putting this together.
      I am also not sure if this update is applicable to SQL Server 2012 SP2 CU6. When we tried to install it we had an error saying that we have a version higher than required.

    • AaronBertrand - July 19, 2015, 9:18 PM

      Svetlana, I think it's likely that you grabbed the wrong download (perhaps the GDR instead of the QFE). For 2012 SP2 CU6, you want SQLServer2012-KB3045319-x64.exe (11.0.5613) from https://support.microsoft.com/en-us/kb/3045319

    • Svetlana Golovko - July 21, 2015, 4:28 PM

      Thanks, Aaron. I will check with our DBA that was installing it.

    • Stephen Byers - July 31, 2015, 5:40 PM

      I just tried to install this update on SQL Server 2008 SP3 – stopped all the SQL services and extracted the update
      On the selected features in the wizard I cannot select MSSQLSERVER as it states the version installed is 10.0.1600.22 (RTM) but when I go into About in SQL Management Studio I am on 10.0.5520.0
      Any ideas, could it be because I stopped sql services?

    • AaronBertrand - July 31, 2015, 6:07 PM

      @Stephen It sounds like you applied SP3 to your management tools but not your database engine. You don't check the version of the engine by looking at Help | About in Management Studio, you use SELECT @@VERSION; in a query window.

    • Stephen Byers - August 4, 2015, 5:29 PM

      Hi Aaron, thanks for your reply
      I connected to the instance and executed Select @@Version. I got the same info – build 10.0.5520.0 (x64) – I have tried to run the GDR update 3045305 (x64) https://www.microsoft.com/en-us/download/details.aspx?id=48005
      But as I said earlier, the option to select MSSQLSERVER on select features to update is greyed out. I can check and uncheck WSUS only.
      When I click on MSSQLSERVER it tells me that "The version of SQL Server instance MSSQLSERVER does not match the version expected by the update. The installed SQL Server product version is 10.0.1600.22, and the expected version is 10.3.5500.0"

    • AaronBertrand - August 4, 2015, 5:42 PM

      @Stephen This is going to sound like a dumb question, but when you say "I connected to the instance" – is it on a different machine than where you're trying to run the GDR? If you download the GDR update to your desktop and run it there, it can't apply the update to an instance that's on a different machine.
      If everything is on the same machine and @@VERSION reports 10.0.5520 and the installer detects 10.0.1600, and you are absolutely certain those both represent the exact same instance, you'll need to contact support, because you've uncovered a bug I've never seen and don't know how to fix, sorry.

    • Stephen Byers - August 4, 2015, 5:50 PM

      Hi Aaron
      Yes I am logged onto the server and connecting to local host, I have the patch downloaded into the c: drive of the server and running it from there.
      I cannot see any other reason I am getting this problem, I will have to log a support call. Thanks for your efforts!
      Keep up the good work on the blog!

    • Stephen Byers - August 5, 2015, 1:21 PM

      I solved my issue by re-installing SP3.
      After reinstalling SP3 I checked the log file and the SQL instance version was at the required level but reporting services had been installed post SP3 and it had not been patched, it was showing the RTM level and causing the problems – all good now
      Phew – saved a few hundred bucks there
      Thanks Aaron!

    • AaronBertrand - August 6, 2015, 10:58 PM

      Ok, so somewhere along the way the installer was checking the version of SSRS only? Sounds weird.

    • Zoran Lee - August 18, 2015, 7:40 PM

      Aaron,
      2005 is not included in this patch, but it is not on an excluded list. Actually, I don't see an exclude list. AFAIK versions on extended support should still get security patches.
      I see "Older versions are possibly affected, but a fix won't be made available through general public channels." Is this applicable for this MS15-058 and 2005 ?  Thanks

    • AaronBertrand - August 18, 2015, 7:48 PM

      Hi Zoran, I'm not sure if it means it is not affected or if it is but there is simply no intention to release a public patch. If you are on an extended support contract (sorry, I don't know anyone who is), you can probably get a straight answer from your support rep (an extended support contract should have a primary contact who will know the answer or know where to get it, and if there is an applicable patch for extended support customers, how to get you the file as well).

Comments are closed.