Big news for those of you who have installed SQL Server 2022!
No, the first Cumulative Update isn’t out.
Sorry. It’s only been 91 days since RTM came out. You’re gonna have to wait longer if you’re hitting the problems in the release notes, or if you wanna use Query Store for secondary replicas, or fail over back & forth to Azure SQL DB Managed Instances. I know, you thought that stuff all came out last year – it’s still in preview. I’m not even sure why they called it SQL Server 2022 when it still isn’t ready for the –
Wait, sorry about that, went off topic there for a second. Big news! All of the supported versions got updates today! It’s not adding features, though – it’s to deal with these remote code execution vulnerabilities:
- CVE-2023-21528 – Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2023-21704 – Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
- CVE-2023-21705 – Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2023-21713 – Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2023-21718 – Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
The bugs are quite interesting, too:
2033045 | An authenticated attacker could affect SQL Server memory when running a specially crafted CREATE or UPDATE STATISTICS statement. | SQL performance | Query Optimizer | All | |
2029156 | Any member who has the DQS KB Operator (dqs_kb_operator) role or a higher privilege-level role can run codes on the computer that’s hosting SQL Server as the account that’s running the SQL Server service (default account is NT SERVICE\MSSQLSERVER). | Data Quality Services (DQS) | Data Quality Services | Windows | |
2120756 | In rare circumstances, a memory corruption in the ODBC driver can occur in communications between two SQL Server-based servers. This issue occurs if the target SQL server uses a down-level version of the Tabular Data Stream (TDS) protocol. An improper version check causes image data types to be decoded incorrectly on the client-side of the connection. | SQL Connectivity | SQL Connectivity | Windows | |
2094937 | Any member who has the DQS KB Operator (dqs_kb_operator) role or a higher privilege-level role can create or overwrite arbitrary files on the computer that’s hosting SQL Server as the account that’s running the SQL Server service (default account is NT SERVICE\MSSQLSERVER). |
1 Comment. Leave new
From Microsoft realated to the addtional 5021128 update for SQL 2016.
Me
Question, why are there two updates for SQL 2016 listed in CVE-2023-21713, one GDR security update KB5021129, and KB5021128 Security update for SQL Server 2016 SP3 Azure Connect Feature Pack+GDR. I am trying to satisfy cyber so I went with just 5021129.
“Hi John,
What you maybe mean … there is an update “5021129 Security update for SQL Server 2016 SP3 GDR: February 14, 2023” and one “5021128 Security update for SQL Server 2016 SP3 Azure Connect Feature Pack: February 14, 2023”.
The first one is just for users who are on the GDR “track”… and the other on is for the rest 😉
GDR (“I only want critical security fixes!”)
CU (“I want critical security fixes and all the other fixes!”)
13.0.6430.49 is the latest fix applied to the GDR path only, and does not include non-critical-security fixes.
It does contain this latest security fix, but not any of the fixes in the CU path.
I hope my answer is helpful to you,
MS Engineer”