Cumulative Update hidden in a security update

  • One of the agreed upon policies in my shop is that we apply security patches to SQL Server on a monthly basis first in DEV, with some limited application testing afterwards, then in PROD with another round of listed testing. If we apply a Cumulative Update or Service Pack, that's done as determined by the DBA staff, in DEV then PROD, but there's more more rigorous testing. Whether it's limited or rigorous testing, it's currently a manual process. So, applying Cumulative Updates as often as they come out is painful for our staff, since it would mean monthly rigorous testing that is unnecessary.

    A recently applied Security Patch in our DEV environment (Q4293808: https://support.microsoft.com/en-us/help/4293808/security-update-for-remote-code-execution-vulnerability-in-sql-server) looks like it was unexpectedly a Cumulative Update, altering our version of SQL Server from CU8 to CU10. Is this something to be expected in the future from Microsoft? We may need to rethink our patching strategy, if so.

    Thanks for your insight,
    --=Chuck

  • I was told the security patches if you would select the most recent is the most recent CU with some additional updates. So lets say you are on Service pack 1 and CU 3. currently CU5 is out for SP 1 and a new security patch is released after the CU 5 and you download this latest security patch you will upgrade the CU5 also. (real numbers may be different)

  • I'm not getting that same experience. We did receive something similar to this when the Meltdown/Spectre flaw was responded to, and due to it's severity, the combination Security Patch/CU update was justifiable in my mind. I just didn't think that was going to be a semi-regular practice. We've received several security patches since then, that were just security patches.
    --=cf

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply