This is important. To quote Microsoft, “This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address, leading to a function call to uninitialized memory. To exploit this vulnerability an attacker would need permissions to create or modify a database.
This security update is rated Important for supported editions of Microsoft SQL Server 2008, Microsoft SQL Server 2008 R2, Microsoft SQL Server 2012, and Microsoft SQL Server 2014. For more information, see the Affected Software section.
The security update addresses the vulnerabilities by correcting how SQL Server handles internal function calls and pointer casting. For more information about the vulnerabilities, see the Vulnerability Information section.”
The patch covers both GDR and QFE (General Distribution and Quick Fix) and is available at https://technet.microsoft.com/en-us/library/security/MS15-058
According to Aaron Bertrand, if you’re running anything except SQL 2014 SP1, you’re potentially vulnerable.