SQLServerCentral Article

Critical SQL Server Patches for Meltdown and Spectre

,

There is a set of critical bugs in our processors. There are two issues, known as Meltdown and Spectre. This page is a summary of information that you might want to review and decide how to patch your systems.

I'll point out that Allan Hirt has a great summary page on his blog that's worth reading in more detail.

WARNING: Some reports of issues with older AMD CPUs.

Updated Intel Guidance: INTEL-SA-00088

SQL Server Versions Affected

This is a hardware issue, so every system is affected. SQL Server running on x86 and x64 for these versions:

  • SQL Server 2008
  • SQL Server 2008R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017
  • Azure SQL Database

It is likely that SQL Server 2005, SQL Server 2000, SQL Server 7, SQL Server 6.5 are all affected. No SQL Server patches are coming.

Note: according to Microsoft, IA64 systems are not believed to be affected.

SQL Server Patches

There is a KB (4073225) that discusses the attacks. You can read that in 

Here are the patches as of this time:

We will update as more patches become available.

OS Patches

The Window KB for guidance is 4072698.

Here are the OS patches that I've been able to find.

VMWare has a security advisory (VMSA-2018-0002) and patches. They have released:

When to PATCH Immediately

If you have SQL Server 2017 or SQL Server 2016 running, then patches are available. 

SQL Server (Windows) VM in your data center - Patch host OS or isolate SQL Server back on physical hardware. Check Windows OS for microcode changes.

SQL Server (Windows) on bare metal or VM, not isolated from application code on the same machine, or using untrusted code - Apply OS patches, SQL Server patches, enable microcode changes.

SQL Server Linux - Apply Linux OS patches, Linux SQL Server patches, check with Linux vendor

Note that when untrusted SQL Server extensibility mechanisms are mentioned, they mean:

  • SQL CLR
  • R and Python packages running through sp_external_script, or standalone R/ML Learning Studio on a machine
  • SQL Agent running ActiveX scripts
  • Non-MS OLEDB providers in linked servers
  • Non-MS XPs

There are mitigations in the SQL Server KB.

When You Can Patch Later

If you have SQL Server 2008, 2008 R2, 2012, 2014 you'll have to wait on SQL Server patches. They aren't out yet. We will update this page as patches are released. However, there are other situations that remove an immediate need for patching.

When You Don't Need to Patch

If you are on AWS, they've patched their systems, except for EC2 VMS. Those need patches from you. AWS Statement

Azure is patched according to KB4073235. Guidance in ADV180002 says .This does not include VMs that don't get automatic updates. You need to patch those manually.

Details On the Exploits

Descriptions of the exploit, if you want to dig down and understand.

Official notes from IntelAMDARM.

Rate

5 (15)

You rated this post out of 5. Change rating

Share

Share

Rate

5 (15)

You rated this post out of 5. Change rating