This week there was a security release for all supported versions of SQL Server. Each version has 32-bit and 64-bit patches, and each version has GDR (General Distribution Release) and QFE (Quick-Fix Engineering) patches. GDR should be applied if you are at the base (RTM or SP) build for your version, while QFE should be applied if you have installed any cumulative updates after the RTM or SP build. (More details here.)
SQL Server 2005
- RTM, SP1, SP2, SP3 - not supported
- SP4 - GDR = 9.00.5069, QFE = 9.00.5324
SQL Server 2008
- RTM, SP1 - not supported
- SP2 - GDR = 10.00.4067, QFE = 10.00.4371
- SP3 - GDR = 10.00.5512, QFE = 10.00.5826
SQL Server 2008 R2
- RTM - not supported
- SP1 - GDR = 10.50.2550, QFE = 10.50.2861
- SP2 - not affected
SQL Server 2012
- RTM: GDR = 11.00.2218, QFE = 11.00.2376
- SP1 - not yet supported; should not be affected once SP1 is released.
Now, a couple of oddities you might have noticed:
- The security bulletin mentions something about SQL Server instances with Reporting Services installed. Yet the KB articles for individual updates state that all instances of SQL Server are eligible for the update. And the update does, in fact, update sqlservr.exe and @@VERSION, even for systems where SSRS is not installed. So until there is some clarification on this point, I'm going to treat this as a patch for all instances.
- Both the GDR and QFE KBs for multiple patches state that the preceding cumulative updates are included. I believe this is a copy & paste error and that the cumulative updates for a specific branch are only included with the QFE patch. I will update here if I get any confirmation on this.
Even if they come back and say, whoops, our bad, the KBs should mention it is SSRS only, and the GDRs do not affect sqlservr.exe and do not include the CU updates, I'm still going to apply the patch everywhere. Why? Well, for consistency, I'd rather have all of my instances at @@VERSION = x, than have the SSRS instances at x and the non-SSRS instances at < x.