Tuesday 9 September 2014

Upgrade SQL Server: Security updates for all supported versions of SQL Server

Microsoft released a security bulletin covering several issues that could potentially affect SQL Server; these exploits include remote code execution, denial of service, information disclosure and elevation of privilege. You should test these patches on all machines running SQL Server, including those running only client tools (e.g. Management Studio or Management Studio Express). The updates affect the following versions of SQL Server:
  • SQL Server 2005 SP3
  • SQL Server 2005 SP4
  • SQL Server 2008 SP1
  • SQL Server 2008 SP2
  • SQL Server 2008 R2
So, depending on your SQL Server version (run SELECT @@VERSION;), here is what you should do:

If you are running... And your build number is... Your best course of action is probably to...
SQL Server 2005 Less than 9.0.4035
Upgrade to Service Pack 3 (9.0.4035) or Service Pack 4 (9.0.5000), then come back for the GDR
Exactly 9.0.4035 (SP3) Install the SP3 GDR (9.0.4060) from KB #2494113
Between 9.0.4036 and 9.0.4339 (a) Upgrade to Service Pack 4 (9.0.5000), then come back for the GDR
(b) Install the SP3 QFE (9.0.4340) from KB #2494112
Exactly 9.0.5000 (SP4) Install the SP4 GDR (9.0.5057) from KB #2494120
Greater than 9.0.5000
Install the SP4 QFE (9.0.5292) from KB #2494123
SQL Server 2008 Less than 10.0.2531
Upgrade to Service Pack 1 (10.0.2531) or Service Pack 2 (10.0.4000), then come back for the GDR
Exactly 10.0.2531 (SP1) Install the SP1 GDR (10.0.2573) from KB #2494096
Between 10.0.2532 and 10.0.2840 (a) Upgrade to Service Pack 2 (10.0.4000), then come back for the GDR
(b) Install the SP1 QFE (10.0.2841) from KB #2494100
Exactly 10.0.4000 (SP2) Install the SP2 GDR (10.0.4064) from KB #2494089
Greater than 10.0.4000 Install the SP2 QFE (10.0.4311) from KB #2494094
SQL Server 2008 R2 Exactly 10.50.1600 (RTM) Install the GDR (10.50.1617) from KB #2494088
Between 10.50.1601 and 10.50.1789 Install the QFE (10.50.1790) from KB #2494086
Greater than 10.50.1790
(e.g. 10.50.2418 or 10.50.2425)
Wait for the final release of Service Pack 1
Watch for cumulative update or updates to MS11-049
At this time there is no fix for the CTP of SQL Server 2008 R2 SP1

What is the difference between a GDR and a QFE? 

A GDR (general distribution release) is one that Microsoft support deems is necessary for all systems running SQL Server. A QFE (quick fix engineering) is one that does not affect everyone. Why are there two releases for this important fix? Well, one reason is that after a QFE is installed, it is no longer possible to install a GDR. So, if you have a system that has had previous cumulative updates or QFEs applied, the GDR might not work for you. If you have a system that is exactly at one of the levels described above, then the GDR is probably the better choice, because it will allow you to install either a GDR or a QFE in the future, whereas installing a QFE on such a system kind of paints you into a corner.
There is also a GDR available if you are running Management Studio Express 2005 (but none seem to be listed at this time for the 2008 or 2008 R2 versions):

KB #2546869


This post is from my old blog dated Thursday, October 2011, that unfortunately no longer exist. 

About the Author

Adnan Zameer, Lead Developer at Optimizley UK, is a certified Microsoft professional, specializing in web app architecture. His expertise includes Optimizley CMS and Azure, showcasing proficiency in crafting robust and efficient solutions.


Post a Comment