As we reported, Microsoft released its second known bad update this month that it subsequently recommended uninstalling – but this time for SQL Server. At the time of the admission, the company suggested that it was working on a fix.
That fix is now available and can be downloaded from here: Security Update for SQL Server 2016 SP2 CU (KB4458621)
Executing a specially crafted query involving calculating difference between values of different date types and aggregation of the results, could lead to stack corruption, if the query runs in batch mode. Depending on particular values processed by such query, this could lead to terminating the SQL Server process, or a possibility of remote code execution. More information about the vulnerability can be found here: SQL Server 2016 SP2 CU
The original update for this security vulnerability, KB4293807 released on August 14, 2018, exposed certain testing Trace Flags that were not intended for public release. These trace flags are usually off by default. For this reason, the update has been replaced. If you have previously applied KB4293807, it is recommended that you install KB4458621 as soon as possible. KB4293807 has been superseded and replaced with KB4458621. Please see KB4458621 to download this security update. For other impacted SQL Server releases, please see:
Security Update for SQL Server 2016 SP1 CU(CU10+GDR)*
Security Update for SQL Server 2016 SP1 GDR
Security Update for SQL Server 2016 SP2 CU (CU2+GDR)*
Security Update for SQL Server 2016 SP2 GDR
Security Update for SQL Server 2017 RTM CU (CU9+GDR)*
Security Update for SQL Server 2017 RTM GDR
* These security updates are for SQL Server instances that have applied a Cumulative Update.
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in Dallas, Texas in 2018!