Do I need to install SQL Server service packs to continue receiving security patches
https://dba.stackexchange.com/questions/172799
-
07-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
It's always been my belief that SQL Server needs to be updated to the latest service pack in a timely (and tested) manner to continue receiving security/bug patches.
I'm now partially responsible for a 2008 R2 DB that has not had any service packs installed. The external IT company mainly responsible for maintaining it has told me that they don't install service packs unless there is a specific business need, and that it would automatically recieve security patches any way. Is this the case, or do you need to keep up-to-date (once tested) with the latest service pack?
Solution
It's always been my belief that SQL Server needs to be updated to the latest service pack in a timely (and tested) manner to continue receiving security/bug patches.
You are correct. Some service packs will continue to have new CUs until their lifetime runs out.
... and that it would automatically recieve security patches any way.
They either didn't understand how this worked or flat out lied to you.
Is this the case, or do you need to keep up-to-date (once tested) with the latest service pack?
You'll need the latest SP + Patches. For example, since you're on RTM... you're missing quite a few different security patches because they weren't made for the RTM branch after it went out of support*.
*Note that the links above show the same security updates released for supported service packs at the time. However, RTM was not one of them.
OTHER TIPS
It depends on the position of the service pack in the product life-cycle. MS support service pack levels for a while after the release of later packs, but the timelines vary by product.
In the specific case of SQL Server 2008R2 you do currently need to have the latest pack (SP3) to be properly supported as the last one left its support window in 2015. See https://support.microsoft.com/en-gb/lifecycle/search?alpha=Microsoft%20SQL%20Server%202008%20R2 for a list of the relevant dates.
That doesn't mean that won't release updates for 2008r2 RTM/sp1/sp2, but don't expect them to without paying for special support fees for hot-fixes via their "premium assurance" scheme or similar arrangement. This is only for new issues: patches released before the end of extended support will still be available in Windows Update, so if you create a fresh install of 2008r2 without SP2 it will get the updates that already exist for it when you next check.
