Patch Tuesday : Security Updates for SQL Server 2012, 2014, 2016

Image courtesy ElasticComputeFarm

Security updates were released today to patch a remote code execution vulnerability in Reporting Services, affecting the following versions (there are both GDR and CU versions available). See the appropriate "latest builds" post for more info and links to KB articles:

While it looks like this is isolated to Reporting Services, the patch touches a lot of files, and updates the engine version, which leads me to believe the vulnerability is currently exploited via SSRS, but the underlying problem has deeper roots. The fact that they provided GDR fixes and for versions that are no longer in mainstream support suggest that it is a high priority fix.

So, if you're wondering whether you should deploy this to instances where you currently don't use SSRS, I would say, yes, please install the patch anyway.

Aaron Bertrand

I am a passionate technologist with industry experience dating back to Classic ASP and SQL Server 6.5. I am a long-time Microsoft MVP, speak frequently at conferences, and write at SQLPerformance and MSSQLTips. In real life I am a father of two, an architect at Wayfair, and my pronouns are he/him.