THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Aaron Bertrand

Aaron is a Product Evangelist for SentryOne, makers of Plan Explorer and a performance monitoring and event management platform for the Microsoft Data Platform and VMware. He has been blogging here at sqlblog.com since 2006, focusing on manageability, performance, and new features, and also blogs at blogs.sentryone.com and SQLPerformance.com; has been a Microsoft MVP since 1997; tweets as @AaronBertrand; and speaks frequently at major conferences, user group meetings, and SQL Saturday events worldwide.

Vulnerability Affecting All Supported Versions of SQL Server

Well, it's that time again: Patch Tuesday. SQL Server hasn't had a security update since August, but today we're giving the hotfix download servers a run for their money. Both GDR and QFE fixes were released in Security Bulletin MS15-058, to address a vulnerability in remote code execution (for details on the exploit, see KB #3065718).

The long and short of it is, if you are running any of the following versions, you need to apply the patch:

  • SQL Server 2014 SP1 - unaffected, but there is a GDR for a wrong results bug
  • SQL Server 2014 RTM - affected
  • SQL Server 2012 SP2 - affected
  • SQL Server 2012 SP1 - affected
  • SQL Server 2012 RTM - likely affected but you need to move to SP1 or SP2 for the fix
  • SQL Server 2008 R2 SP3 - affected
  • SQL Server 2008 R2 SP2 - affected
  • SQL Server 2008 R2 SP1 - likely affected but you need to move to SP2 or SP3 for the fix
  • SQL Server 2008 R2 RTM - likely affected but you need to move to SP2 or SP3 for the fix
  • SQL Server 2008 SP4 - affected
  • SQL Server 2008 SP3 - affected
  • SQL Server 2008 SP2 - likely affected but you need to move to SP3 or SP4 for the fix
  • SQL Server 2008 SP1 - likely affected but you need to move to SP3 or SP4 for the fix
  • SQL Server 2008 RTM - likely affected but you need to move to SP3 or SP4 for the fix
If you want to determine which build you have, which patch you should apply, and whether you should take the GDR or QFE fix, I drew up a quick matrix over on our team blog: Older versions are possibly affected, but a fix won't be made available through general public channels.
Published Tuesday, July 14, 2015 8:45 PM by AaronBertrand

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Svetlana Golovko said:

Thanks Aaron for putting this together.

I am also not sure if this update is applicable to SQL Server 2012 SP2 CU6. When we tried to install it we had an error saying that we have a version higher than required.

July 19, 2015 1:43 PM
 

AaronBertrand said:

Svetlana, I think it's likely that you grabbed the wrong download (perhaps the GDR instead of the QFE). For 2012 SP2 CU6, you want SQLServer2012-KB3045319-x64.exe (11.0.5613) from https://support.microsoft.com/en-us/kb/3045319

July 19, 2015 2:18 PM
 

Svetlana Golovko said:

Thanks, Aaron. I will check with our DBA that was installing it.

July 21, 2015 9:28 AM
 

Stephen Byers said:

I just tried to install this update on SQL Server 2008 SP3 - stopped all the SQL services and extracted the update

On the selected features in the wizard I cannot select MSSQLSERVER as it states the version installed is 10.0.1600.22 (RTM) but when I go into About in SQL Management Studio I am on 10.0.5520.0

Any ideas, could it be because I stopped sql services?

July 31, 2015 10:40 AM
 

AaronBertrand said:

@Stephen It sounds like you applied SP3 to your management tools but not your database engine. You don't check the version of the engine by looking at Help | About in Management Studio, you use SELECT @@VERSION; in a query window.

July 31, 2015 11:07 AM
 

Stephen Byers said:

Hi Aaron, thanks for your reply

I connected to the instance and executed Select @@Version. I got the same info - build 10.0.5520.0 (x64) - I have tried to run the GDR update 3045305 (x64) https://www.microsoft.com/en-us/download/details.aspx?id=48005

But as I said earlier, the option to select MSSQLSERVER on select features to update is greyed out. I can check and uncheck WSUS only.

When I click on MSSQLSERVER it tells me that "The version of SQL Server instance MSSQLSERVER does not match the version expected by the update. The installed SQL Server product version is 10.0.1600.22, and the expected version is 10.3.5500.0"

August 4, 2015 10:29 AM
 

AaronBertrand said:

@Stephen This is going to sound like a dumb question, but when you say "I connected to the instance" - is it on a different machine than where you're trying to run the GDR? If you download the GDR update to your desktop and run it there, it can't apply the update to an instance that's on a different machine.

If everything is on the same machine and @@VERSION reports 10.0.5520 and the installer detects 10.0.1600, and you are absolutely certain those both represent the exact same instance, you'll need to contact support, because you've uncovered a bug I've never seen and don't know how to fix, sorry.

August 4, 2015 10:42 AM
 

Stephen Byers said:

Hi Aaron

Yes I am logged onto the server and connecting to local host, I have the patch downloaded into the c: drive of the server and running it from there.

I cannot see any other reason I am getting this problem, I will have to log a support call. Thanks for your efforts!

Keep up the good work on the blog!

August 4, 2015 10:50 AM
 

Stephen Byers said:

I solved my issue by re-installing SP3.

After reinstalling SP3 I checked the log file and the SQL instance version was at the required level but reporting services had been installed post SP3 and it had not been patched, it was showing the RTM level and causing the problems - all good now

Phew - saved a few hundred bucks there

Thanks Aaron!

August 5, 2015 6:21 AM
 

AaronBertrand said:

Ok, so somewhere along the way the installer was checking the version of SSRS only? Sounds weird.

August 6, 2015 3:58 PM
 

Zoran Lee said:

Aaron,

2005 is not included in this patch, but it is not on an excluded list. Actually, I don't see an exclude list. AFAIK versions on extended support should still get security patches.

I see "Older versions are possibly affected, but a fix won't be made available through general public channels." Is this applicable for this MS15-058 and 2005 ?  Thanks

August 18, 2015 12:40 PM
 

AaronBertrand said:

Hi Zoran, I'm not sure if it means it is not affected or if it is but there is simply no intention to release a public patch. If you are on an extended support contract (sorry, I don't know anyone who is), you can probably get a straight answer from your support rep (an extended support contract should have a primary contact who will know the answer or know where to get it, and if there is an applicable patch for extended support customers, how to get you the file as well).

August 18, 2015 12:48 PM

Leave a Comment

(required) 
(required) 
Submit

About AaronBertrand

...about me...

This Blog

Syndication

Archives

Privacy Statement