New Vulnerability Affecting SQL Server 2008, 2008 R2, 2012, and 2014
It's Patch Tuesday, and the last time there was a security vulnerability with direct SQL Server implications was in August. Today Microsoft released Security Bulletin MS15-058 (and KB #3065718), which has both GDR and QFE updates for all supported branches of SQL Server, and even a couple of unsupported branches. I wanted to post a quick table so you can see which one you should apply, and why.
As a note, GDR updates (GDR = "General Distribution Release") are those you apply to instances where you don't want all of the fixes and enhancements that have been offered in Cumulative Updates. If you want those fixes, you should take the QFE update instead (QFE = "Quick Fix Engineering"). You can see a more detailed explanation of the differences here.
Also, note that SQL Server 2014 Service Pack 1 was not affected by the security vulnerability, but a GDR fix was pushed out to address a separate issue with Columnstore indexes (see KB #3067257).
Also, since the security release last week, a new Cumulative Update (#7, 11.0.5623) has been released for SQL Server 2012 Service Pack 2, so if you are not sticking to the GDR branch there, you should install the Cumulative Update (which has 38 total fixes) rather than the security fix on its own.
Finally, in general, I'm always going to recommend that you go to the QFE rather than GDR, and that you move to the most recent Service Pack branch as quickly as possible. However, I understand that sometimes regression testing, waiting for catch-up of CU fixes, or even bugs (cough cough 2014 SP1 CU1 cough cough) can sometimes delay that. On the GDR rows, I'm recommending the GDR fix only for cases where moving to the QFE or a later service pack / CU is not practical.
| If your version / service pack is... |
...and @@VERSION is in the range... | ...you should install... | ||||
|---|---|---|---|---|---|---|
| SQL Server 2014 (build list) | ||||||
| SP1 | 12.0.4050 => 12.0.4212 | GDR | 12.0.4213 | KB #3070446 | ||
| 12.0.4214 => 12.0.4415 | CU #1 | 12.0.4416 | KB #3067839 | |||
| RTM | 12.0.2000 => 12.0.2268 | GDR | 12.0.2269 | KB #3045324 | ||
| 12.0.2270 => 12.0.2547 | QFE | 12.0.2548 | KB #3045323 | |||
| SQL Server 2012 (build list) | ||||||
| SP2 | 11.0.5058 => 11.0.5342 | GDR | 11.0.5343 | KB #3045321 | ||
| 11.0.5344 => 11.0.5622 | CU #7 | 11.0.5623 | KB #3072100 | |||
| SP1 | 11.0.3000 => 11.0.3155 | GDR | 11.0.3156 | KB #3045318 | ||
| 11.0.3157 => 11.0.3512 | QFE | 11.0.3513 | KB #3045317 | |||
| RTM | 11.0.2100 => 11.0.2999 | Move to a newer branch | ||||
| SQL Server 2008 R2 | ||||||
| SP3 | 10.50.6000 => 10.50.6219 | GDR | 10.50.6220 | KB #3045316 | ||
| 10.50.6221 => 10.50.6528 | QFE | 10.50.6529 | KB #3045314 | |||
| SP2 | 10.50.4000 => 10.50.4041 | GDR | 10.50.4042 | KB #3045313 | ||
| 10.50.4043 => 10.50.4338 | QFE | 10.50.4339 | KB #3045312 | |||
| SP1 or RTM | 10.50.1600 => 10.50.3999 | Move to a newer branch | ||||
| SQL Server 2008 | ||||||
| SP4 | 10.0.6000 => 10.0.6240 | GDR | 10.0.6241 | KB #3045311 | ||
| 10.0.6242 => 10.0.6534 | QFE | 10.0.6535 | KB #3045308 | |||
| SP3 | 10.0.5500 => 10.0.5537 | GDR | 10.0.5538 | KB #3045305 | ||
| 10.0.5539 => 10.0.5889 | QFE | 10.0.5890 | KB #3045303 | |||
| SP2, SP1 or RTM | 10.0.1600 => 10.0.5499 | Move to a newer branch | ||||
For more details on individual builds available, at least for SQL Server 2012 and SQL Server 2014, see these blog posts:
Also, I've had a couple of questions asking about 2008 SP4 and 2008 R2 SP3; specifically, why there are separate GDR and QFE paths. This is kind of confusing, because these two paths exist so that you can choose whether or not to take non-security hotfixes, which are typically released via Cumulative Updates; there have been no CUs for 2008 SP4 or 2008 R2 SP3. However, there have been a couple of critical on-demand (COD) hotfixes released, which I documented here:
Out-of-band hotfix releases for SQL Server 2008 SP4 and 2008 R2 SP3
Aaron (@AaronBertrand) is a Data Platform MVP with industry experience dating back to Classic ASP and SQL Server 6.5. He is editor-in-chief of the performance-related blog, SQLPerformance.com. Aaron's blog focuses on T-SQL bad habits and best practices, as well as coverage of updates and new features in Plan Explorer, SentryOne, and SQL Server.
Facebook
Linkedin
Twitter
Comments