Vulnerability

Vulnerability Affecting All Supported Versions of SQL Server

Well,SQL Server hasn’t had a security update since August, but today we’re giving the hotfix download servers a run for their money. Both GDR and QFE fixes were released in Security Bulletin MS15-058, to address a vulnerability in remote code execution (for details on the exploit, see KB #3065718).The long and short of it is, if you are running any of the following versions, you need to apply the patch:

  • SQL Server 2014 SP1 – unaffected, but there is a GDR for a wrong results bug
  • SQL Server 2014 RTM – affected
  • SQL Server 2012 SP2 – affected
  • SQL Server 2012 SP1 – affected
  • SQL Server 2012 RTM – likely affected but you need to move to SP1 or SP2 for the fix
  • SQL Server 2008 R2 SP3 – affected
  • SQL Server 2008 R2 SP2 – affected
  • SQL Server 2008 R2 SP1 – likely affected but you need to move to SP2 or SP3 for the fix
  • SQL Server 2008 R2 RTM – likely affected but you need to move to SP2 or SP3 for the fix
  • SQL Server 2008 SP4 – affected
  • SQL Server 2008 SP3 – affected
  • SQL Server 2008 SP2 – likely affected but you need to move to SP3 or SP4 for the fix
  • SQL Server 2008 SP1 – likely affected but you need to move to SP3 or SP4 for the fix
  • SQL Server 2008 RTM – likely affected but you need to move to SP3 or SP4 for the fix

If you want to determine which build you have, which patch you should apply, and whether you should take the GDR or QFE fix, I drew up a quick matrix over on our team blog:

Older versions are possibly affected, but a fix won’t be made available through general public channels.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s