SQL Server 2000 Post SP2 Patch Released


Last week, Microsoft released a new cumulative security patch which corrected

a number of new critical problems. This short article will show you what it

fixed, where to get the hot fix and how to install it. For the purpose of this

article, we'll only explain how to apply this patch to a SQL Server 2000 machine

but a parallel patch was released for SQL Server 7.0 which applies with a

similar method.

First, it's important to note that as with any cumulative patch, this patch

wraps in the previous hot fixes and will bring your server up to 8.00.0679.

Before you apply the patch, you must have SQL Server 2000 SP 2 installed. To

download the patch go to the Microsoft Technet Center for the patch at

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech or

directly at

8.00.0679_enu.exe (about 10MB).

The patch mostly fixes buffer overrun problems that allow a hacker to exploit

SQL Server and gain full control of our server. If proper security is

implemented, then the problems listed in this cumulative patch can be lessened.

There is also an additional bug that allows a user with minimal access to the

server to create scheduled jobs that would run under the authority of the

account that starts SQL Server Agent. This could lead to a disruption in your

SQL Server service or allow a hacker access to your operating system or overall

network. Overall, there are 4 fixes that are marked critical in this cumulative


Due to these exploitation errors, Microsoft listed this patch as a critical

one to install. I would recommend though since there are so many files fixed in

this patch that you install it in development (as always hopefully) first to

make sure it doesn't cause any regressions in your application.

Unfortunately, Microsoft doesn't even include the simplest of install tools.

Instead, you'll have to manually backup and copy the files to their individual

locations and then apply the appropriate SQL scripts. If you're applying the

patch into an environment with replication, make sure as with any service pack

or hot fix that you apply it first to the Distributor, then Publisher and

finally the Subscribers. Once you download the patch, extract it to folder then

open the readme.txt file. The readme.txt file contains step-by-step instructions

on how to apply the patch and roll it back if necessary.

If you haven't developed a batch file or VBScript to deploy the patch, you

can count on it taking at least 10 minutes per server in your environment (15

minutes in a cluster). You will have to stop the SQL Server services while you

overwrite the files and then start it up again once the files have been copied

over. No reboot is required though. If you have a deployment batch file or

script, you can have it complete in less than 5 minutes per server so it's worth

spending a few hours creating a script if you have more than a dozen or so


Since service pack 3 for SQL Server 2000 is almost complete for beta,

Microsoft states in their security bulletin that these fixes may not be included

until service pack 4 of SQL Server, which should probably release late-Spring of

next year. Hopefully, they do change their stance and include it in the upcoming

service pack 3.

Watch our homepage to see the latest news on hot fixes in the Quick Info

area. If you have any questions or problems, please post in our

Service Pack forum.