How does patching work in SQL Server?
https://dba.stackexchange.com/questions/220947
-
14-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I need a clarification on how below SQL Server service pack patching works.
Few of my servers are at below patch for SQL Server 2014 which has latest meltdown patch
12.00.5214
2014.120.5214.64057120 Security update for SQL Server 2014 Service Pack 2 GDR: January 16, 2018 – Security Advisory ADV180002 CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
and some with below
12.00.5532
2014.120.5532.03194718 MS16-136: Description of the security update for SQL Server 2014 Service Pack 2 CU: November 8, 2016
2014.120.5532.0 version seems to be on higher build than one 2014.120.5214.6 but that patch seems old when checked as published in OCT 2016.
Do I still need to apply meltdown patch for those servers with build 2014.120.5532.0 or are they covered for meltdown.
Need some better understanding on this.
Solution
Ref:
- Description of the security update for SQL Server 2014 SP2 GDR: January 16, 2018
- Description of the security update for SQL Server 2014 SP2 CU10: January 16, 2018
- ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
On January 16, 2018 ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was released as a standalone patch. Build number 12.00.5214 and file version 2014.120.5214.6. This patch was applicable to servers with service pack 2 and no CU installed. Because there are shops who do not want install cumulative updates but still wants to install the security hotfix.
You can see it here.
One the same day the same patch was released as CU10 for those who wanted all cumulative update since service pack 2. Build number 12.00.5571 and file version 2014.120.5571.0.
You can see it here.
Do I still need to apply meltdown patch for those servers with build 2014.120.5532.0 or are they covered for meltdown.
Yes if you want to mitigate mitigate speculative execution side-channel vulnerabilities also know as Meltdown and Spectre. In that case you will be applying CU10 which will include all updates you from 12.00.5532to 12.00.5571. Latest available update is CU14, build versin 12.00.5600.
As a side not MS-136 was also release with a non-CU and CU version.
OTHER TIPS
The 5532 patch was another release of an earlier patch for MS16-136. The original release was for SQL 2014 SP2 and the second release was for SP2 CU2.
The Spectre\Meltdown patch was released after the MS16-136 patch. It was released in several ways, there was the patch you could apply to your SQL Server 2014 SP2 instance (12.00.5214) or you could apply SP2 CU10 or higher to your instance (12.00.5571). Either of these would ensure you're protected.
Your instances with 12.00.5532 are not protected against Spectre\Meltdown unless 12.00.5214 had already been applied because 5532 was released before 5214. The reason the version is higher is Microsoft tends to have 'headroom' in their version numbers in case a retrospective security patch such as the Spectre\Meltdown patch has to be released for earlier path levels of SQL Server so they can avoid a clash of numbers.
One fairly safe option - patch all your 2014 instances to SP2 CU10 or higher to ensure you have both fixes. Alternatively, apply 5214 to your 5532 instances anyway to be sure.
