It doesn’t look like this would affect SQL Server 2008 or SQL Server 2008 R2 since the earliest reported platform is SQL Server 2014, but in Microsoft’s release of patches today, SQL Server is included. Here’s the vulnerability:
It’s a remote code exploit, but the attacker has to be connected to SQL Server because the vulnerability can only be exploited using a specially crafted query. The code would execute in the context of the database engine service account (hopefully not configured to run with administrative rights on the server or elevated rights in Active Directory).
The Microsoft security announcement is here (this is the 2014 GDR link as there other links for other configurations):
Why do I mention SQL Server 2008 / 2008 R2? That’s because those versions are no longer under Extended Support and will not receive security updates. If you haven’t migrated, I’ve written an article at Simple Talk talking about your options.