It's patch Tuesday!
[UPDATE June 19 : Please see my follow-up post about this security update.]
Today Microsoft released a security bulletin covering several issues that could potentially affect SQL Server; these exploits include remote code execution, denial of service, information disclosure and elevation of privilege. You should test these patches on all machines running SQL Server, including those running only client tools (e.g. Management Studio or Management Studio Express). The updates affect the following versions of SQL Server:
- SQL Server 2005 SP3
- SQL Server 2005 SP4
- SQL Server 2008 SP1
- SQL Server 2008 SP2
- SQL Server 2008 R2
So, depending on your SQL Server version (run SELECT @@VERSION;), here is what you should do:
| If you are running... |
And your build number is... |
Your best course of action is probably to... |
| SQL Server 2005 |
Less than 9.0.4035
|
Upgrade to Service Pack 3 (9.0.4035) or Service Pack 4 (9.0.5000), then come back for the GDR |
| Exactly 9.0.4035 (SP3) |
Install the SP3 GDR (9.0.4060) from KB #2494113
|
| Between 9.0.4036 and 9.0.4339 |
(a) Upgrade to Service Pack 4 (9.0.5000), then come back for the GDR
OR
(b) Install the SP3 QFE (9.0.4340) from KB #2494112
|
| Exactly 9.0.5000 (SP4) |
Install the SP4 GDR (9.0.5057) from KB #2494120
|
Greater than 9.0.5000
|
Install the SP4 QFE (9.0.5292) from KB #2494123
|
| SQL Server 2008 |
Less than 10.0.2531
|
Upgrade to Service Pack 1 (10.0.2531) or Service Pack 2 (10.0.4000), then come back for the GDR |
| Exactly 10.0.2531 (SP1) |
Install the SP1 GDR (10.0.2573) from KB #2494096
|
| Between 10.0.2532 and 10.0.2840 |
(a) Upgrade to Service Pack 2 (10.0.4000), then come back for the GDR
OR
(b) Install the SP1 QFE (10.0.2841) from KB #2494100
|
| Exactly 10.0.4000 (SP2) |
Install the SP2 GDR (10.0.4064) from KB #2494089
|
| Greater than 10.0.4000 |
Install the SP2 QFE (10.0.4311) from KB #2494094
|
| SQL Server 2008 R2 |
Exactly 10.50.1600 (RTM) |
Install the GDR (10.50.1617) from KB #2494088
|
| Between 10.50.1601 and 10.50.1789 |
Install the QFE (10.50.1790) from KB #2494086
|
Greater than 10.50.1790
(e.g. 10.50.2418 or 10.50.2425)
|
Wait for the final release of Service Pack 1
Watch for cumulative update or updates to MS11-049
At this time there is no fix for the CTP of SQL Server 2008 R2 SP1
|
What is the difference between a GDR and a QFE? A GDR (general distribution release) is one that Microsoft support deems is necessary for all systems running SQL Server. A QFE (quick fix engineering) is one that does not affect everyone. Why are there two releases for this important fix? Well, one reason is that after a QFE is installed, it is no longer possible to install a GDR. So, if you have a system that has had previous cumulative updates or QFEs applied, the GDR might not work for you. If you have a system that is exactly at one of the levels described above, then the GDR is probably the better choice, because it will allow you to install either a GDR or a QFE in the future, whereas installing a QFE on such a system kind of paints you into a corner.
There is also a GDR available if you are running Management Studio Express 2005 (but none seem to be listed at this time for the 2008 or 2008 R2 versions):
As an aside, even if you are not running SQL Server, you should review the grander bulletin to see how else these issues may affect you... and be sure to register to tune in to tomorrow's webcast.