This week we had a number of SQL Server patches, called GDRs, released. They are available for SQL Server 2022, 2019, 2017, and 2016. I've linked to the build lists we maintain at SQL Server Central, and for most of these patches, there is one for the current CU level and one for RTM. FWIW, you ought to be on the current CU (or close) and these are certainly worth testing and applying as these are security updates.

I looked at the various CVE bulletins from Microsoft. You can find them all on this page, and I found very little information about the exact problem. That's interesting, and often there is some explanation of the attack vector and how an attacker might use it. That's good because it helps me decide just how critical this is and how vulnerable I am. While I do try to get security patches applied quickly, there might be a reason I don't apply today and wait for a few days because of other work.

All of these items have a few metrics: they are local attack vectors, but the complexity is low and the privileges required are low or none. Those last two are a little scary. However, the details aren't publicly disclosed and the likelihood of these being exploited is "less likely." That's interesting and makes me want to learn more about the issues here. If I go to the NIST site for CVE-2023-36420, I see a note that this is still undergoing analysis and there aren't any specifics on what the issue is for a server.

Over the years, we've had relatively few security patches issued for SQL Server. Looking for GDRs, I see 6 for SQL Server 2017. I see 8 in that time frame for Oracle. PostgreSQL includes security patches are part of their minor updates and I was too lazy to dig through all the release notes, but I suspect there have been a few issues. I have also seen patches for MySQL, though a consolidated list is hard to find.

Security is constantly evolving, and the way that researchers and hackers find vulnerabilities changes over time. I don't expect that all database software is completely secure, but I am glad to see patches and updates released over time and special releases made when there are problems.

Now we need more installations to apply those patches. Quite a few breaches in the last 20 years have come from unpatched software, which is a problem. Part of any modern software architecture ought to be a process for applying patches when needed, which is certainly sometime soon after a security update.