Installing an older CU over a Security Patch?

dba.stackexchange https://dba.stackexchange.com/questions/274976

  •  07-03-2021
  •  | 
  •  

Question

According to this Microsoft link, SQL Server 12.0.6372.1 requires any system with at least SQL 2014 SP3, so my predecessor installed it over SP3. Now the version is "2014 (SP3-CU-GDR) (KB4535288) - 12.0.6372.1".

Since that security patch only fixes a specific problem with Reporting Services, and is smaller than the CU4 package, ISTM that I should also install the CU4 patch.

But how? Do I first uninstall KB4535288, then install KB4500181 (CU4) and then reinstall KB4535288, or can I just slap KB4500181 on top of KB4535288 (which seems like it would overwrite the KB4535288 files.

Was it helpful?

Solution

#TL;DR

There is nothing you currently need to do to get the fixes included in CU4. They're already there, even though @@VERSION incorrectly suggests you have a GDR (and, as you've read elsewhere, GDRs do not contain CU fixes). If you want more background, please read on.

#Background

Patches are cumulative, including security updates, which means they include all previous patches in that branch. The size of the (compressed executable) file is not a very reliable way to determine whether or not it includes an earlier patch.

To be clear, each SQL Server release (including each service pack before SQL Server 2017) is what I'll call a "main branch." Once that main branch is released, they later need to enhancements, usually in categories of performance, stability, or security. They release these fixes in the form of GDR and CU updates. These become two separate branches off the main branch:

  • The CU branch contains all fixes - performance, stability, security. Currently the cadence for these is one a month for the first year of a main branch, and then every other month after that (until that branch is retired, which is longer now than it used to be because their are no service packs making previous service packs obsolete). Once you're on the CU branch, as you apply more updates, you will always be getting all the CU fixes. If you apply CU1 and then CU4, you have all the fixes from CU1, CU2, CU3, and CU4. If you apply CU5 and then CU12, you have all the fixes from CU1, CU2, ..., CU11, CU12.
  • Sometimes a security release is published out-of-band (meaning not as part of the monthly/bi-monthly CU cadence). This is usually either because the issue is critical or because it needs to be coordinated with a security bulletin that involves other products (like Windows). Like a CU, security updates that apply to a CU branch contain all the fixes from the CU branch up to that point.
  • The GDR branch only includes critical fixes, usually security-related, for the main branch (e.g. Service Pack 3). That is the branch I was talking about in the link referenced below: I meant that the GDR update for SP3 does not contain any of the CU updates (the post says "critical updates" but I don't have editorial control to fix it).
  • The point of the GDR branch is to provide as little surface area changes as possible (because they have to test the impact of all those changes), while still keeping customers safe. Each successive GDR update is just a new build on the GDR branch and so, like CUs and security updates on CU branches, a security update for the GDR branch also contains all the other GDR updates that came before it.
  • Except for occasionally early in a release, there are more CU updates than GDR updates, primarily because they're restricted to critical fixes and there are just a lot more non-critical fixes over time.

In your case, the (understandable) confusion comes from the fact that @@VERSION returns both CU and GDR in the name, which is nonsensical. When the patch was first released, I complained about this confusion, and after a lengthy debate, they fixed the terminology in the KB articles and other documentation. But it was too late to fix what @@VERSION returns on a build of the engine that was already distributed (and that problem remains today because that was the last update on the CU branch).

That's a lot of background, but to summarize, I can assure you that:

  1. The build you have installed is on the CU branch and is not a GDR update, in spite of what @@VERSION might be telling you. You need to ignore what that string says because it is wrong but there is no way to fix it.
  2. You definitely cannot apply CU4 on top of KB4535288. The installer will recognize that your version already includes all the fixes in CU4.
  3. You do not need to uninstall the security update (which will put you back on whatever build you were on before you applied it), apply CU4 (which will put you on 12.0.6329.1), and reapply the security update (which will put you right back on 12.0.6372.1). You already have those fixes.
  4. You can choose to not believe me and go ahead and do all of this, I'm just trying to help you avoid work that serves zero purpose, since you asked the question. Again, read everything here, but try to forget that your @@VERSION incorrectly suggests you are on a GDR build. You're not.

I had previously said the following, and don't believe I have contradicted myself with anything I've said here:

You can see the list of SQL Server 2014 updates here.

In this case, there is nothing you can possibly apply to SQL Server 2014 that will add anything to 12.0.6372.1. Literally nothing. Uninstalling KB4535288 to install CU4 just means you will be removing the security fix in KB4535288. I see absolutely no reason to do this. And no, you can't just "slap CU4 on top of KB4535288" - well, you can try, but you won't get very far, because the installer will recognize you already have everything in CU4.

Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
scroll top