Does SQL Server 2017 CU10 include CVE-2018-8273 hotfix?
https://dba.stackexchange.com/questions/216223
-
08-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).
How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?
Is the higher version number of CU10 enough to determine that?
NOTE: I've already installed the CVE-2018-8273 fix onto CU9.
Solution
Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:
Security fixes always roll-up to any subsequent CU. That's been the case for years.
And from another colleague at Microsoft:
all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.
With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION numbers.
Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.
I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.
All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.
