New CVE-2019-1068 vulnerability - is there a patch for MSSQL 2012?

  • Andy sql

    SSCrazy Eights

    Points: 9369

    MSSQL Server 2012 Service Pack 4 is officially supported until 2022-07-12:

    https://support.microsoft.com/en-us/lifecycle/search?alpha=sql%20server%202012

    The new vulnerability in MSSQL, published 2019-07-09:

    CVE-2019-1068 | Microsoft SQL Server Remote Code Execution Vulnerability

    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1068#ID0EMGAC

    mysteriously excludes MSSQL 2012. The oldest supported version in the table is MSSQL 2014 SP2.

    And the article states "If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported."

    Does anyone know what is going on here. I know that MSSQL 2008/R2 is recently out of support, but not MSSQL 2012 as well...?!

    Thanks, Andy

  • Thom A

    SSC Guru

    Points: 98445

    From what I've read, and I've not heard anyone say otherwise, this appears to only effect SQL Server 2014-2017, so not 2012 or prior (and not 2019?). The data engine did change in 2014, so that might be why.

    Of course, that doesn't mean to say what I've said is true; it could just be that 2012 won't receive a patch as quickly as it's only in extended support. I would have, however, expected to see statements to say the patch was on it's way; like what happened with spectre and meltdown last year, when 2008(R2)'s patches were some what later but were confirmed they were being worked on.

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply