There is a set of critical bugs in our processors. There are two issues, known as Meltdown and Spectre. This page is a summary of information that you might want to review and decide how to patch your systems.
I'll point out that Allan Hirt has a great summary page on his blog that's worth reading in more detail.
WARNING: Some reports of issues with older AMD CPUs.
Updated Intel Guidance: INTEL-SA-00088
SQL Server Versions Affected
This is a hardware issue, so every system is affected. SQL Server running on x86 and x64 for these versions:
- SQL Server 2008
- SQL Server 2008R2
- SQL Server 2012
- SQL Server 2014
- SQL Server 2016
- SQL Server 2017
- Azure SQL Database
It is likely that SQL Server 2005, SQL Server 2000, SQL Server 7, SQL Server 6.5 are all affected. No SQL Server patches are coming.
Note: according to Microsoft, IA64 systems are not believed to be affected.
SQL Server Patches
There is a KB (4073225) that discusses the attacks. You can read that in
Here are the patches as of this time:
- SQL Server 2017 CU3 (download)
- SQL Server 2017 CU3 RTM (download)
- SQL Server 2017 GDR (download)
- SQL Server 2016 SP1 CU7 (download)
- SQL Server 2016 SP1 GDR (download)
- SQL Server 2016 RTM CU (download)
- SQL Server 2016 RTM GDR (download)
- SQL Server 2014 CU10 for SP2 (download)
- SQL Server 2012 SP4 GDR (download)
- SQL Server 2012 SP3
- SQL Server 2008 R2 SP3 GDR (download)
- SQL Server 2008 SP 4 GDR (download)
We will update as more patches become available.
The Window KB for guidance is 4072698.
Here are the OS patches that I've been able to find.
- Windows Server (Server Core) v 1709 - KB4056892
- Windows Server 2016 - KB4056890
- Windwos Server 2012 R2 - KB4056898
- Windows Server 2012 - N/A
- Windows Server 2008 R2 - KB4056897
- Windows Server 2008 - N/A
- Red Hat v.7.3 - Kernel Side-Channel Attacks CVE-2017-5754, 5753, 5715
- SUSE Linux - 7022512
- Ubuntu - Update on the patches
VMWare has a security advisory (VMSA-2018-0002) and patches. They have released:
- ESXi 6.5
- ESXi 6.0
- ESXi 5.5 (partial patch)
- Workstation 12.x - Upgrade to 12.5.8
- Fusion 8.x - Updated to 8.5.9
When to PATCH Immediately
If you have SQL Server 2017 or SQL Server 2016 running, then patches are available.
SQL Server (Windows) VM in your data center - Patch host OS or isolate SQL Server back on physical hardware. Check Windows OS for microcode changes.
SQL Server (Windows) on bare metal or VM, not isolated from application code on the same machine, or using untrusted code - Apply OS patches, SQL Server patches, enable microcode changes.
SQL Server Linux - Apply Linux OS patches, Linux SQL Server patches, check with Linux vendor
Note that when untrusted SQL Server extensibility mechanisms are mentioned, they mean:
- SQL CLR
- R and Python packages running through sp_external_script, or standalone R/ML Learning Studio on a machine
- SQL Agent running ActiveX scripts
- Non-MS OLEDB providers in linked servers
- Non-MS XPs
There are mitigations in the SQL Server KB.
When You Can Patch Later
If you have SQL Server 2008, 2008 R2, 2012, 2014 you'll have to wait on SQL Server patches. They aren't out yet. We will update this page as patches are released. However, there are other situations that remove an immediate need for patching.
When You Don't Need to Patch
If you are on AWS, they've patched their systems, except for EC2 VMS. Those need patches from you. AWS Statement
Azure is patched according to KB4073235. Guidance in ADV180002 says .This does not include VMs that don't get automatic updates. You need to patch those manually.
Details On the Exploits
Descriptions of the exploit, if you want to dig down and understand.