SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Critical SQL Server Patches for Meltdown and Spectre

By Steve Jones, (first published: 2018/01/05)

There is a set of critical bugs in our processors. There are two issues, known as Meltdown and Spectre. This page is a summary of information that you might want to review and decide how to patch your systems.

I'll point out that Allan Hirt has a great summary page on his blog that's worth reading in more detail.

WARNING: Some reports of issues with older AMD CPUs.

Updated Intel Guidance: INTEL-SA-00088

SQL Server Versions Affected

This is a hardware issue, so every system is affected. SQL Server running on x86 and x64 for these versions:

  • SQL Server 2008
  • SQL Server 2008R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017
  • Azure SQL Database

It is likely that SQL Server 2005, SQL Server 2000, SQL Server 7, SQL Server 6.5 are all affected. No SQL Server patches are coming.

Note: according to Microsoft, IA64 systems are not believed to be affected.

SQL Server Patches

There is a KB (4073225) that discusses the attacks. You can read that in 

Here are the patches as of this time:

We will update as more patches become available.

OS Patches

The Window KB for guidance is 4072698.

Here are the OS patches that I've been able to find.

VMWare has a security advisory (VMSA-2018-0002) and patches. They have released:

When to PATCH Immediately

If you have SQL Server 2017 or SQL Server 2016 running, then patches are available. 

SQL Server (Windows) VM in your data center - Patch host OS or isolate SQL Server back on physical hardware. Check Windows OS for microcode changes.

SQL Server (Windows) on bare metal or VM, not isolated from application code on the same machine, or using untrusted code - Apply OS patches, SQL Server patches, enable microcode changes.

SQL Server Linux - Apply Linux OS patches, Linux SQL Server patches, check with Linux vendor

Note that when untrusted SQL Server extensibility mechanisms are mentioned, they mean:

  • SQL CLR
  • R and Python packages running through sp_external_script, or standalone R/ML Learning Studio on a machine
  • SQL Agent running ActiveX scripts
  • Non-MS OLEDB providers in linked servers
  • Non-MS XPs

There are mitigations in the SQL Server KB.

When You Can Patch Later

If you have SQL Server 2008, 2008 R2, 2012, 2014 you'll have to wait on SQL Server patches. They aren't out yet. We will update this page as patches are released. However, there are other situations that remove an immediate need for patching.

When You Don't Need to Patch

If you are on AWS, they've patched their systems, except for EC2 VMS. Those need patches from you. AWS Statement

Azure is patched according to KB4073235. Guidance in ADV180002 says .This does not include VMs that don't get automatic updates. You need to patch those manually.

Details On the Exploits

Descriptions of the exploit, if you want to dig down and understand.

Official notes from IntelAMDARM.

 
Total article views: 4809 | Views in the last 30 days: 34
 
Related Articles
ARTICLE

Download SQL patch Info

This article shows how to download sqlserverbuilds.blogspot.com to build your own automated sql patc...

ARTICLE

Patching Problems

After some issues with a recent Windows patch, Steve Jones is concerned about the future of software...

FORUM

SP2 Patching

SQL Server SP2 patching process

FORUM

Microsoft Security Update for Windows Server 2003 (KB956572) increases I/O waits for SQL Server 2005

Writelog waits increase with Windows Server 2003 (KB956572) patch

ARTICLE

A SQL Server Patching Shortcut

This post on SQL Server patching illustrates a quick and simple way of safely extracting SQL Server ...

Tags
patches    
sql server    
 
Contribute