Critical patch for all versions of SQL Server!

This is important.  To quote Microsoft, “This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address, leading to a function call to uninitialized memory. To exploit this vulnerability an attacker would need permissions to create or modify a database.

This security update is rated Important for supported editions of Microsoft SQL Server 2008, Microsoft SQL Server 2008 R2, Microsoft SQL Server 2012, and Microsoft SQL Server 2014. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how SQL Server handles internal function calls and pointer casting. For more information about the vulnerabilities, see the Vulnerability Information section.”

The patch covers both GDR and QFE (General Distribution and Quick Fix) and is available at https://technet.microsoft.com/en-us/library/security/MS15-058

According to Aaron Bertrand, if you’re running anything except SQL 2014 SP1, you’re potentially vulnerable.

http://file.sqlblog.com/blogs/aaron_bertrand/archive/2015/07/14/vulnerability-affecting-all-supported-versions-of-sql-server.aspx

Advertisements

SQL Server 2014 Cumulative Update 7 now available, plus Ozar live-tweet and 2014 SP1 update

Apparently it released 11 days ago, I saw it in SQL Server Central’s weekly newsletter.  You can get a link to download either the x86 or x64 versions for both the database and ODBC here.

Regarding 2014’s SP1, still no news as to when a new version will see the light of day.  But at least we have CU7.

Brent Ozar live-tweeted from yesterday’s Ignite conference keynote speech.  Sounds like typical keynote blather: new toys, some of which won’t work, some won’t work like they displayed them, some could be cool.  I wasn’t too keen on the announcement of SQL Server 2016, I really wish they’d stop with this new version every other year.  I think it will encourage people to look at hanging on to their older versions since the rate of change is beginning to exceed people’s capacity to absorb the new features.  Microsoft recently announced end of support for SQL 2005 next year, which means 2008 will be EOL’d in four years.  At least the 2014 installation that I’m working on will still be supported when I leave this job.

SQL Server 2014 SP1 Has Released! Sort of.

It was announced as available on 15 April, according to the SQL Release Services blog.  The only problem is that the link goes to an error page.  *sigh*  It’s going to be a while before my project goes to internal alpha release, much less full release, I’m sure they’ll get it fixed soon.

http://blogs.msdn.com/b/sqlreleaseservices/

EDITED TO ADD: Apparently there was a bug if an SSIS catalog was present, so they withdrew the update to fix the problem.

http://www.eweek.com/database/microsoft-halts-sql-server-2014-sp1-downloads.html