This week I was at VS Live, which was a great conference in Austin. They have a few more around the country, and I'll be at the Redmond one, but they are a small, fun, multi-tech software conference with lots of development and a few data topics. After prepping for my sessions, I logged into mail and saw a bunch of new SQL Server patches, all of them seemingly addressing a new potential attack vector.

The CVE-2022-29143 issue is a potential SQL Server remote code execution vulnerability that could be serious, but has a high level of complexity and isn't likely to be a problem. That being said, when there is a potential security issue, Microsoft takes it seriously and works on building a patch quickly. They've released this patch for all versions of SQL Server from 2014-2019.

Apply this patch.

There are two patches for each version, one being a specific patch level and one a GDR. If you don't know the difference on which one to apply, you ought to learn, and then patch your systems  up to the latest CU so you can just apply a patch like this when it's released.

Keeping up with patches can be a pain, and certainly it is a task that makes some of us nervous. It's also hard when third party software vendors don't certify their wares on different SQL Server versions. I'd like to think the CU process makes this simpler and easier, and most software that works on RTM will also work on CU17. However, you need to test, and you should have a process in place to test and apply patches.

There are no shortage of stories where someone delayed patching and then a vulnerability was exploited. Don't be that person. Work on getting your systems patched.