Megistal (7/15/2015)
The other question I have in mind is: in what circumstances that person found this vulnerability?
I'm not sure what you mean? Do you mean how was this reported?
This is a patch for an issue Microsoft has released and acknowledge. How could it occur? If anyone has access to a SQL Server, including SQL Injection through an application, and they submit a query.
That means anyone who can access your SQL Server could potentially exploit this.
Patch your server.