Exporteren (0) Afdrukken
Alles uitvouwen
EN
Deze inhoud is niet beschikbaar in uw taal, maar wel in het Engels.

Microsoft Security Bulletin MS14-044 - Important

Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340)

Published: August 12, 2014 | Updated: August 13, 2014

Version: 1.1

General Information

Executive Summary

This security update resolves two privately reported vulnerabilities in Microsoft SQL Server (one in SQL Server Master Data Services and the other in the SQL Server relational database management system). The more severe of these vulnerabilities, affecting SQL Server Master Data Services, could allow elevation of privilege if a user visits a specially crafted website that injects a client-side script into the user's instance of Internet Explorer. In all cases, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email.

This security update is rated Important for supported editions of Microsoft SQL Server 2008 Service Pack 3, Microsoft SQL Server 2008 R2 Service Pack 2, and Microsoft SQL Server 2012 Service Pack 1; it is also rated Important for Microsoft SQL Server 2014 for x64-based Systems. For more information, see the Affected and Non-Affected Software section.

The security update addresses the vulnerabilities by correcting how SQL Master Data Services (MDS) encodes output and how SQL Server handles T-SQL queries. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability later in this bulletin.

Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For customers who do not have automatic updating enabled, the steps in Turn automatic updating on or off can be used to enable automatic updating. Note: In certain scenarios, customers using Microsoft SQL Server Master Data Service (MDS) may not be able to obtain this update through automatic updating. See the Known Issues entries in Microsoft Knowledge Base Article 2969894 for more information and workaround steps.

For administrators and enterprise installations, or end users who want to install this security update manually (including customers who have not enabled automatic updating), Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service. The updates are also available via the download links in the Affected Software table later in this bulletin.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Knowledge Base Article

  • Knowledge Base Articles: 2984340, 2977315
  • File Information: Yes
  • SHA1/SHA2 hashes: Yes
  • Known issues: Yes

 

The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Affected Software 

GDR Software Updates

QFE Software Updates

Maximum Security Impact

Aggregate Severity Rating

Updates Replaced

SQL Server 2008

Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3
(2977321)

Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3
(2977322)

Denial of Service

Important

GDR: 2977321 replaces 2716436 in MS12-070

QFE: 2977322 replaces 2716435 in MS12-070

Microsoft SQL Server 2008 for x64-based Systems Service Pack 3
(2977321)

Microsoft SQL Server 2008 for x64-based Systems Service Pack 3
(2977322)

Denial of Service

Important

GDR: 2977321 replaces 2716436 in MS12-070

QFE: 2977322 replaces 2716435 in MS12-070

Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3
(2977321)

Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3
(2977322)

Denial of Service

Important

GDR: 2977321 replaces 2716436 in MS12-070

QFE: 2977322 replaces 2716435 in MS12-070

SQL Server 2008 R2

Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2
(2977320)

Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2
(2977319)

Denial of Service

Important

None

Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2
(2977320)

Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2
(2977319)

Denial of Service

Important

None

Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2
(2977320)

Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2
(2977319)

Denial of Service

Important

None

SQL Server 2012

Microsoft SQL Server 2012 for 32-bit Systems Service Pack 1
(2977326)

Microsoft SQL Server 2012 for 32-bit Systems Service Pack 1
(2977325)

Denial of Service

Important

None

Microsoft SQL Server 2012 for x64-based Systems Service Pack 1
(2977326)

Microsoft SQL Server 2012 for x64-based Systems Service Pack 1
(2977325)

Elevation of Privilege

Important

None

SQL Server 2014

Microsoft SQL Server 2014 for x64-based Systems
(2977315)

Microsoft SQL Server 2014 for x64-based Systems
(2977316)

Elevation of Privilege

Important

None

 

Non-Affected Software

Operating System

Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4

Microsoft SQL Server 2005 Express Edition Service Pack 4

Microsoft SQL Server 2005 for 32-bit Systems Service Pack 4

Microsoft SQL Server 2005 for x64-based Systems Service Pack 4

Microsoft SQL Server 2005 for Itanium-based Systems Service Pack 4

Microsoft SQL Server Management Studio Express (SSMSE) 2005

Microsoft SQL Server 2012 for 32-bit Systems Service Pack 2

Microsoft SQL Server 2012 for x64-based Systems Service Pack 2

Microsoft SQL Server 2014 for 32-bit Systems

Microsoft Data Engine (MSDE) 1.0

Microsoft Data Engine (MSDE) 1.0 Service Pack 4

Microsoft Data Engine 1.0

 

There are GDR and/or QFE updates offered for my version of SQL Server. How do I know which update to use? 
First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185.

Second, in the table below, locate the version range that your SQL Server version number falls within. The corresponding update is the update you need to install.

Note If your SQL Server version number does not fall within any of the ranges in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.

For SQL Server 2008:

SQL Server Version Range

10.00.5500-10.00.5512

10.00.5750-10.00.5867

SQL Server Update

SQL Server 2008 Service Pack 3 GDR
(2977321)

SQL Server 2008 Service Pack 3 QFE
(2977322)


For SQL Server 2008 R2:

SQL Server Version Range

10. 50.4000-10.50.4017

10.50.4251-10.50.4319

SQL Server Update

SQL Server 2008 R2 Service Pack 2 GDR
(2977320)

SQL Server 2008 R2 Service Pack 2 QFE
(2977319)


For SQL Server 2012:

SQL Server Version Range

11.0.3000-11.0.3129

11.0.3300-11.0.3447

SQL Server Update

SQL Server 2012 Service Pack 1 GDR
(2977326)

SQL Server 2012 Service Pack 1 QFE
(2977325)


For SQL Server 2014:

12.0.2000 and above

12.0.2000.8 and above

12.0.2300-12.0.2370

SQL Server Update

SQL Server 2014 GDR
(2977315)

SQL Server 2014 QFE
(2977316)


For additional installation instructions, see the Security Update Information subsection for your SQL Server edition in the Update Information section.

Will these security updates be offered to SQL Server clusters? 
Yes. The updates will also be offered to SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and SQL Server 2014 instances that are clustered. Updates for SQL Server clusters will require user interaction.

If the SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, or SQL Server 2014 cluster has a passive node, to reduce downtime, Microsoft recommends that you scan and apply the update to the inactive node first, then scan and apply it to the active node. When all components have been updated on all nodes, the update will no longer be offered.

Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? 
Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually.

I am using an older release of the software discussed in this security bulletin. What should I do? 
The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software

Affected Software

SQL Master Data Services XSS Vulnerability - CVE-2014-1820

Microsoft SQL Server Stack Overrun Vulnerability - CVE-2014-4061

Aggregate Severity Rating

SQL Server 2008

Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3

Not applicable

Important 
Denial of Service

Important

Microsoft SQL Server 2008 for x64-based Systems Service Pack 3

Not applicable

Important 
Denial of Service

Important

Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3

Not applicable

Important 
Denial of Service

Important

SQL Server 2008 R2

Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2

Not applicable

Important 
Denial of Service

Important

Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2

Not applicable

Important 
Denial of Service

Important

Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2

Not applicable

Important 
Denial of Service

Important

SQL Server 2012

Microsoft SQL Server 2012 for 32-bit Systems Service Pack 1

Not applicable

Important 
Denial of Service

Important

Microsoft SQL Server 2012 for x64-based Systems Service Pack 1

Important 
Elevation of Privilege

Important 
Denial of Service

Important

SQL Server 2014

Microsoft SQL Server 2014 for x64-based Systems

Important 
Elevation of Privilege

Not applicable

Important

 

An XSS vulnerability exists in SQL Master Data Services (MDS) that could allow an attacker to inject a client-side script into the user's instance of Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the site on behalf of the targeted user.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2014-1820.

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email.
  • The XSS Filter in Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 prevents this attack for users when browsing to websites in the Internet Zone. Note that the XSS Filter in Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 is enabled by default in the Internet zone, but is not enabled by default in the Intranet Zone.

Workarounds

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Enable Internet Explorer 8 , Internet Explorer 9 , Internet Explorer 10, and Internet Explorer 11 XSS filter for Intranet Zone

You can help protect against exploitation of this vulnerability by changing your settings to enable the XSS filter in the Local intranet security zone. (XSS filter is enabled by default in the Internet security zone.) To do this, perform the following steps:

  1. In Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Local intranet, and then click Custom level.
  4. Under Settings, in the Scripting section, under Enable XSS filter, click Enable, and then click OK.
  5. Click OK two times to return to Internet Explorer.

Impact of workaround. Internal sites not previously flagged as being XSS risks could be flagged.

How to undo the workaround.

To undo this workaround, perform the following steps.

  1. In Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Local intranet, and then click Custom level.
  4. Under Settings, in the Scripting section, under Enable XSS filter, click Disable, and then click OK.
  5. Click OK two times to return to Internet Explorer.

FAQ

What is the scope of the vulnerability? 
This is an elevation of privilege vulnerability.

What causes the vulnerability? 
The vulnerability is caused when the SQL Master Data Services (MDS) does not properly encode output.

What is cross-site scripting (XSS)? 
Cross-site scripting (XSS) is a class of security vulnerability that can enable an attacker to inject script into the response to a webpage request. This script is then run by the requesting application, often times a web browser. The script could then spoof content, disclose information, or take any action that the user could take on the affected website, on behalf of the targeted user.

What is SQL Master Data Services (MDS)?
Master Data Services (MDS) is the SQL Server solution for master data management. Master data management (MDM) describes the efforts made by an organization to discover and define non-transactional lists of data, with the goal of compiling maintainable master lists. 

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could inject a client-side script into the user's instance of Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the site on behalf of the targeted user.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by sending a specially crafted link to the user and convincing the user to click the link. An attacker could also host a website that contains a webpage designed to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.

What systems are primarily at risk from the vulnerability? 
Servers running affected editions of Microsoft SQL Server are primarily at risk. SQL servers that do not have SQL Master Data Services installed are not at risk of this vulnerability and will not be offered this update.

What does the update do? 
The update addresses the vulnerability by correcting how the SQL Master Data Services (MDS) encodes output.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

A denial of service vulnerability exists in SQL Server. An attacker who successfully exploited this vulnerability could cause the server to stop responding until a manual reboot is initiated.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2014-4061.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

What is the scope of the vulnerability? 
This is a denial of service vulnerability.

What causes the vulnerability? 
The vulnerability is caused when SQL Server processes an incorrectly formatted T-SQL query.

What is T-SQL?
Transact-SQL (T-SQL) is a language that is used to query the SQL Server database engine. For more information, see Transact-SQL Overview.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited the vulnerability could cause the target system to stop responding. A manual reboot would be required in order to restore normal operation.

How could an attacker exploit the vulnerability? 
A local attacker could exploit this vulnerability by creating a specially crafted T-SQL statement that causes the Microsoft SQL Server to stop responding.

What systems are primarily at risk from the vulnerability? 
Workstations and servers running Microsoft SQL Server are at risk.

What does the update do? 
The update addresses the vulnerability by correcting the way Microsoft SQL Server handles T-SQL queries.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Several resources are available to help administrators deploy security updates. 

  • Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations. 
  • Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager help administrators distribute security updates. 
  • The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications. 

For information about these and other tools that are available, see Security Tools for IT Pros

SQL Server 2008

Reference Table

The following table contains the security update information for this software.

Security update file names

For GDR update of SQL Server 2008 for 32-bit Systems Service Pack 3:
SQLServer2008-KB2977321-x86.exe


For GDR update of SQL Server 2008 for x64-based Systems Service Pack 3:
SQLServer2008-KB2977321-x64.exe


For GDR update of SQL Server 2008 for Itanium-based Systems Service Pack 3:
SQLServer2008-KB2977321-IA64.exe


For QFE update of SQL Server 2008 for 32-bit Systems Service Pack 3:
SQLServer2008-KB2977322-x86.exe


For QFE update of SQL Server 2008 for x64-based Systems Service Pack 3:
SQLServer2008-KB2977322-x64.exe


For QFE update of SQL Server 2008 for Itanium-based Systems Service Pack 3:
SQLServer2008-KB2977322-IA64.exe

Installation switches

See Microsoft Knowledge Base Article 934307

Update log file

%programfiles%\Microsoft SQL Server\100\Setup Bootstrap\LOG\<TimeStamp>\MSSQLServer\Summary_<MachineName>_<Timestamp>.txt

Special instructions

The update will also be offered to SQL Server 2008 instances that are clustered.

If your SQL Server 2008 cluster has a passive node, to reduce downtime, Microsoft recommends that you scan and apply the update to the inactive node first, and then scan and apply to the active node. When all components have been updated on all nodes, the update will no longer be offered.

Restart requirement

A restart of the SQL Server instance is required.
If a system restart is required, the installer will prompt or return exit code 3010.

Removal information

For all supported editions of SQL Server 2008:
Use Add or Remove Programs in Control Panel.

File information

For GDR update of SQL Server 2008 Service Pack 3:
See Microsoft Knowledge Base Article 2977321

For QFE update of SQL Server 2008 Service Pack 3:
See Microsoft Knowledge Base Article 2977322

 

SQL Server 2008 R2

Reference Table

The following table contains the security update information for this software.

Security update file names

For GDR update of SQL Server 2008 R2 for 32-bit Systems Service Pack 2:
SQLServer2008R2-KB2977320-x86.exe


For GDR update of SQL Server 2008 R2 for x64-based Systems Service Pack 2:
SQLServer2008R2-KB2977320-x64.exe


For GDR update of SQL Server 2008 R2 for Itanium-based Systems Service Pack 2:
SQLServer2008R2-KB2977320-IA64.exe


For QFE update of SQL Server 2008 R2 for 32-bit Systems Service Pack 2:
SQLServer2008R2-KB2977319-x86.exe


For QFE update of SQL Server 2008 R2 for x64-based Systems Service Pack 2:
SQLServer2008R2-KB2977319-x64.exe


For QFE update of SQL Server 2008 R2 for Itanium-based Systems Service Pack 2:
SQLServer2008R2-KB2977319-IA64.exe

Installation switches

See Microsoft Knowledge Base Article 934307

Update log file

%programfiles%\Microsoft SQL Server\100\Setup Bootstrap\LOG\<TimeStamp>\MSSQLServer\Summary_<MachineName>_<Timestamp>.txt

Special instructions

The update will also be offered to SQL Server 2008 R2 instances that are clustered.

If your SQL Server 2008 R2 cluster has a passive node, to reduce downtime, Microsoft recommends that you scan and apply the update to the inactive node first, and then scan and apply to the active node. When all components have been updated on all nodes, the update will no longer be offered.

Restart requirement

A restart of the SQL Server instance is required.
If a system restart is required, the installer will prompt or return exit code 3010.

Removal information

For all supported editions of SQL Server 2008 R2:
Use Add or Remove Programs in Control Panel.

File information

For GDR update of SQL Server 2008 R2 Service Pack 2:
See Microsoft Knowledge Base Article 2977320

For QFE update of SQL Server 2008 R2 Service Pack 2:
See Microsoft Knowledge Base Article 2977319

 

SQL Server 2012

Reference Table

The following table contains the security update information for this software.

Security update file names

For GDR update of SQL Server 2012 for 32-bit Systems Service Pack 1:
SQLServer2012-KB2977326-x86.exe


For GDR update of SQL Server 2012 for x64-based Systems Service Pack 1:
SQLServer2012-KB2977326-x64.exe


For QFE update of SQL Server 2012 for 32-bit Systems Service Pack 1:
SQLServer2012-KB2977325-x86.exe


For QFE update of SQL Server 2012 for x64-based Systems Service Pack 1:
SQLServer2012-KB2977325-x64.exe

Installation switches

See Microsoft Knowledge Base Article 934307

Update log file

%programfiles%\Microsoft SQL Server\110\Setup Bootstrap\LOG\<TimeStamp>\MSSQLServer\Summary_<MachineName>_<Timestamp>.txt

Special instructions

The update will also be offered to SQL Server 2012 instances that are clustered.

If your SQL Server 2012 cluster has a passive node, to reduce downtime, Microsoft recommends that you scan and apply the update to the inactive node first, and then scan and apply to the active node. When all components have been updated on all nodes, the update will no longer be offered.

Restart requirement

A restart of the SQL Server instance is required.
If a system restart is required, the installer will prompt or return exit code 3010.

Removal information

For all supported editions of SQL Server 2012:

The update removal procedure differs by scenario as follows:

Scenario 1: If the SQL Server engine is installed without SQL Server Master Data Services (MDS) on the same computer, then you can remove the update by using the Add or Remove Programs item in Control Panel. You do not have to remove the SQL Server engine.

Scenario 2: If the SQL Server engine is installed together with MDS on the same computer, follow these steps:

  1. Remove the update for the SQL Server engine by using the Add or Remove Programs item in Control Panel. You do not have to remove the SQL Server engine.
  2. Back up the MDS database.
  3. Remove the MDS component.
  4. Reinstall the MDS component.
  5. Apply any necessary SQL Server service packs or service updates to bring MDS to its pre-security update version.

Scenario 3: If MDS is installed on a computer that does not have the SQL Server engine installed, then follow these steps:

  1. Back up the MDS database.
  2. Remove the MDS component.
  3. Reinstall the MDS component.
  4. Apply any necessary SQL Server service packs or service updates to bring MDS to its pre-security update version.

File information

For GDR update of SQL Server 2012 Service Pack 1:
See Microsoft Knowledge Base Article 2977326

For QFE update of SQL Server 2012 Service Pack 1:
See Microsoft Knowledge Base Article 2977325

 

SQL Server 2014

Reference Table

The following table contains the security update information for this software.

Security update file names

For GDR update of SQL Server 2014 for x64-based Systems:
SQLServer2014-KB2977315-x64-ENU.exe


For QFE update of SQL Server 2014 for x64-based Systems:
SQLServer2014-KB2977316-x64.exe

Installation switches

See Microsoft Knowledge Base Article 934307

Update log file

%programfiles%\Microsoft SQL Server\12\Setup Bootstrap\LOG\<TimeStamp>\MSSQLServer\Summary_<MachineName>_<Timestamp>.txt

Special instructions

The update will also be offered to SQL Server 2014 instances that are clustered.

If your SQL Server 2014 cluster has a passive node, to reduce downtime, Microsoft recommends that you scan and apply the update to the inactive node first, and then scan and apply to the active node. When all components have been updated on all nodes, the update will no longer be offered.

Restart requirement

If a system restart is required, the installer will prompt or return exit code 3010.

Removal information

For all supported editions of SQL Server 2014, follow these steps:

  1. Back up the MDS database.
  2. Remove the MDS component.
  3. Reinstall the MDS component.
  4. Apply any necessary SQL Server service packs or service updates to bring MDS to its pre-security update version.

File information

For GDR update of SQL Server 2014:
See Microsoft Knowledge Base Article 2977315

For QFE update of SQL Server 2014:
See Microsoft Knowledge Base Article 2977316

 

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support

How to obtain help and support for this security update

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 12, 2014): Bulletin published.
  • V1.1 (August 13, 2014): Revised bulletin to correct the Update FAQ that addresses the question, Will these security updates be offered to SQL Server clusters?

Page generated 2014-08-20 15:12Z-07:00.
Vindt u dit nuttig?
(1500 tekens resterend)
Bedankt voor uw feedback
Weergeven:
© 2015 Microsoft