New Vulnerability Affecting SQL Server 2008, 2008 R2, 2012, and 2014

It's Patch Tuesday, and the last time there was a security vulnerability with direct SQL Server implications was in August. Today Microsoft released Security Bulletin MS15-058 (and KB #3065718), which has both GDR and QFE updates for all supported branches of SQL Server, and even a couple of unsupported branches. I wanted to post a quick table so you can see which one you should apply, and why.

As a note, GDR updates (GDR = "General Distribution Release") are those you apply to instances where you don't want all of the fixes and enhancements that have been offered in Cumulative Updates. If you want those fixes, you should take the QFE update instead (QFE = "Quick Fix Engineering"). You can see a more detailed explanation of the differences here.

Also, note that SQL Server 2014 Service Pack 1 was not affected by the security vulnerability, but a GDR fix was pushed out to address a separate issue with Columnstore indexes (see KB #3067257).

Also, since the security release last week, a new Cumulative Update (#7, 11.0.5623) has been released for SQL Server 2012 Service Pack 2, so if you are not sticking to the GDR branch there, you should install the Cumulative Update (which has 38 total fixes) rather than the security fix on its own.

Finally, in general, I'm always going to recommend that you go to the QFE rather than GDR, and that you move to the most recent Service Pack branch as quickly as possible. However, I understand that sometimes regression testing, waiting for catch-up of CU fixes, or even bugs (cough cough 2014 SP1 CU1 cough cough) can sometimes delay that. On the GDR rows, I'm recommending the GDR fix only for cases where moving to the QFE or a later service pack / CU is not practical.

If your version /
service pack is...
...and @@VERSION is in the range... ...you should install...
SQL Server 2014   (build list)
SP1 12.0.4050 => 12.0.4212 GDR 12.0.4213 KB #3070446
12.0.4214 => 12.0.4415 CU #1 12.0.4416 KB #3067839
RTM 12.0.2000 => 12.0.2268 GDR 12.0.2269 KB #3045324
12.0.2270 => 12.0.2547 QFE 12.0.2548 KB #3045323
SQL Server 2012   (build list)
SP2 11.0.5058 => 11.0.5342 GDR 11.0.5343 KB #3045321
11.0.5344 => 11.0.5622 CU #7 11.0.5623 KB #3072100
SP1 11.0.3000 => 11.0.3155 GDR 11.0.3156 KB #3045318
11.0.3157 => 11.0.3512 QFE 11.0.3513 KB #3045317
RTM 11.0.2100 => 11.0.2999 Move to a newer branch
SQL Server 2008 R2
SP3 10.50.6000 => 10.50.6219 GDR 10.50.6220 KB #3045316
10.50.6221 => 10.50.6528 QFE 10.50.6529 KB #3045314
SP2 10.50.4000 => 10.50.4041 GDR 10.50.4042 KB #3045313
10.50.4043 => 10.50.4338 QFE 10.50.4339 KB #3045312
SP1 or RTM 10.50.1600 => 10.50.3999 Move to a newer branch
SQL Server 2008
SP4 10.0.6000 => 10.0.6240 GDR 10.0.6241 KB #3045311
10.0.6242 => 10.0.6534 QFE 10.0.6535 KB #3045308
SP3 10.0.5500 => 10.0.5537 GDR 10.0.5538 KB #3045305
10.0.5539 => 10.0.5889 QFE 10.0.5890 KB #3045303
SP2, SP1 or RTM 10.0.1600 => 10.0.5499 Move to a newer branch

For more details on individual builds available, at least for SQL Server 2012 and SQL Server 2014, see these blog posts:

Also, I've had a couple of questions asking about 2008 SP4 and 2008 R2 SP3; specifically, why there are separate GDR and QFE paths. This is kind of confusing, because these two paths exist so that you can choose whether or not to take non-security hotfixes, which are typically released via Cumulative Updates; there have been no CUs for 2008 SP4 or 2008 R2 SP3. However, there have been a couple of critical on-demand (COD) hotfixes released, which I documented here:

Out-of-band hotfix releases for SQL Server 2008 SP4 and 2008 R2 SP3

Aaron (@AaronBertrand) is a Product Manager at SentryOne, with industry experience dating back to Classic ASP and SQL Server 6.5. He is editor-in-chief of the performance-related blog, SQLPerformance.com, and serves as a community moderator for the Database Administrators Stack Exchange. Aaron's blog focuses on T-SQL bad habits and best practices, as well as coverage of updates and new features in Plan Explorer, SentryOne, and SQL Server.


Comments