Patch Tuesday : Security Updates for SQL Server 2012, 2014, 2016

Image courtesy ElasticComputeFarm

Security updates were released today to patch a remote code execution vulnerability in Reporting Services, affecting the following versions (there are both GDR and CU versions available). See the appropriate "latest builds" post for more info and links to KB articles:

While it looks like this is isolated to Reporting Services, the patch touches a lot of files, and updates the engine version, which leads me to believe the vulnerability is currently exploited via SSRS, but the underlying problem has deeper roots. The fact that they provided GDR fixes and for versions that are no longer in mainstream support suggest that it is a high priority fix.

So, if you're wondering whether you should deploy this to instances where you currently don't use SSRS, I would say, yes, please install the patch anyway.

Aaron Bertrand

I am a passionate technologist with industry experience dating back to Classic ASP and SQL Server 6.5. I am a long-time Microsoft MVP, write at Simple Talk, SQLPerformance, and MSSQLTips, and have had the honor of speaking at more conferences than I can remember. In non-tech life, I am a father of two, a huge hockey and football fan, and my pronouns are he/him. If I've helped you out, consider thanking me with a coffee. :-)