SQLServerUpdates.com
  • Home – Most Recent Updates
    • SQL Server 2019 Updates
    • SQL Server 2017 Updates
    • SQL Server 2016 Updates
    • SQL Server 2014 Updates
    • SQL Server 2012 Updates
    • SQL Server 2008 R2 Updates
    • SQL Server 2008 Updates
  • Download SQL Server
  • Subscribe to Updates
  • Contact Us
    • Frequently Asked Questions

SQL Server 2022 Gets Its First Update! Plus 2019, 2017, 2016, 2014 Updates

1 month ago
Brent Ozar
SQL Server 2014, SQL Server 2016, SQL Server 2017, SQL Server 2019, SQL Server 2022
1 Comment

Big news for those of you who have installed SQL Server 2022!

No, the first Cumulative Update isn’t out.

Sorry. It’s only been 91 days since RTM came out. You’re gonna have to wait longer if you’re hitting the problems in the release notes, or if you wanna use Query Store for secondary replicas, or fail over back & forth to Azure SQL DB Managed Instances. I know, you thought that stuff all came out last year – it’s still in preview. I’m not even sure why they called it SQL Server 2022 when it still isn’t ready for the –

Wait, sorry about that, went off topic there for a second. Big news! All of the supported versions got updates today! It’s not adding features, though – it’s to deal with these remote code execution vulnerabilities:

  • ​​​​​​​CVE-2023-21528 – Microsoft SQL Server Remote Code Execution Vulnerability
  • CVE-2023-21704 – Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
  • CVE-2023-21705 – Microsoft SQL Server Remote Code Execution Vulnerability
  • CVE-2023-21713 – Microsoft SQL Server Remote Code Execution Vulnerability
  • CVE-2023-21718 – Microsoft SQL ODBC Driver Remote Code Execution Vulnerability​​​​​​​

The bugs are quite interesting, too:

2033045An authenticated attacker could affect SQL Server memory when running a specially crafted CREATE or UPDATE STATISTICS statement.SQL performanceQuery OptimizerAll
2029156Any member who has the DQS KB Operator (dqs_kb_operator) role or a higher privilege-level role can run codes on the computer that’s hosting SQL Server as the account that’s running the SQL Server service (default account is NT SERVICE\MSSQLSERVER).Data Quality Services (DQS)Data Quality ServicesWindows
2120756In rare circumstances, a memory corruption in the ODBC driver can occur in communications between two SQL Server-based servers. This issue occurs if the target SQL server uses a down-level version of the Tabular Data Stream (TDS) protocol. An improper version check causes image data types to be decoded incorrectly on the client-side of the connection.SQL ConnectivitySQL ConnectivityWindows
2094937Any member who has the DQS KB Operator (dqs_kb_operator) role or a higher privilege-level role can create or overwrite arbitrary files on the computer that’s hosting SQL Server as the account that’s running the SQL Server service (default account is NT SERVICE\MSSQLSERVER).

Brent Ozarhttp://sqlserverupdates.com
I make Microsoft SQL Server faster and more reliable. I love teaching, travel, and laughing.
Previous Post
Announcing SQL Server 2019 CU15
Next Post
SQL Server 2022 Gets Its 2nd Update in 2 Days

1 Comment. Leave new

  • John Chendorain
    March 3, 2023 9:52 am

    From Microsoft realated to the addtional 5021128 update for SQL 2016.

    Me
    Question, why are there two updates for SQL 2016 listed in CVE-2023-21713, one GDR security update KB5021129, and KB5021128 Security update for SQL Server 2016 SP3 Azure Connect Feature Pack+GDR. I am trying to satisfy cyber so I went with just 5021129.

    “Hi John,

    What you maybe mean … there is an update “5021129 Security update for SQL Server 2016 SP3 GDR: February 14, 2023” and one “5021128 Security update for SQL Server 2016 SP3 Azure Connect Feature Pack: February 14, 2023”.

    The first one is just for users who are on the GDR “track”… and the other on is for the rest 😉

    GDR (“I only want critical security fixes!”)
    CU (“I want critical security fixes and all the other fixes!”)
    13.0.6430.49 is the latest fix applied to the GDR path only, and does not include non-critical-security fixes.
    It does contain this latest security fix, but not any of the fixes in the CU path.

    I hope my answer is helpful to you,

    MS Engineer”

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Subscribe

Want to get an email when Microsoft publishes a new SP or CU for SQL Server? Subscribe here.

Recent Updates

  • SQL Server 2022 Gets Its 2nd Update in 2 Days February 16, 2023
  • SQL Server 2022 Gets Its First Update! Plus 2019, 2017, 2016, 2014 Updates February 14, 2023
  • Announcing SQL Server 2019 CU15 January 27, 2022
  • Announcing SQL Server 2019 CU13 and SSMS 18.10: Replication Improvements October 5, 2021
  • Announcing 2016 Service Pack 3 and 2017 CU26 September 15, 2021

© 2021 Brent Ozar Unlimited®. All Rights Reserved. Privacy Policy