Probably the least enjoyable thing about being a DBA is patching servers. We received the bad news in the July MS security bulletin that a security patch MS08-040 needed to be installed on SQL Server 7 - 2005. http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx

I spent some time with our SMS guy to see if we could push this patch out. What I found was that because I often remove builtin\administrators, SMS wasn't going to work.  I decided to go ahead and start patching manually.  The really confusing thing about this is that there are 5 different patch versions depending on which version (release + QFE vs GDR).  If you look at the article, be sure to expand the FAQ to see a nice chart.  Once you get to the correct download page, there are also different versions depending on the processor.

After installing on a bunch of dev/test servers earlier in the week, I started patching production servers last night starting with my European cluster. This morning at 3:00 am, I started on the US cluster.  The European cluster is just a 2-node cluster with one instance. My US cluster has 4 nodes and 4 instances. I had allocated an hour to get this done, but because the Citrix server I was on had its weekly scheduled reboot at 3:30, it ended up taking and extra 15 minutes.

After the cluster was done, I had a handfull of standalone servers to start on. I was surprised that one of them already had the patch installed. In fact, I found that two of the servers on my list for tonight were already patched as well. All three of these are default instances with builtin\administrators still in place. So, it is possible that our SQL Servers for SMS, MOM, etc., will get this patch automatically as long as they have the latest service pack. I think that the patch must have been pushed by WSUS.

Anyway, I am glad that I manually installed it on my clusters; they deserve a little extra TLC.