Last week, Microsoft released a new cumulative security patch which corrected
a number of new critical problems. This short article will show you what it
fixed, where to get the hot fix and how to install it. For the purpose of this
article, we'll only explain how to apply this patch to a SQL Server 2000 machine
but a parallel patch was released for SQL Server 7.0 which applies with a
similar method.
First, it's important to note that as with any cumulative patch, this patch
wraps in the previous hot fixes and will bring your server up to 8.00.0679.
Before you apply the patch, you must have SQL Server 2000 SP 2 installed. To
download the patch go to the Microsoft Technet Center for the patch at
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech or
directly at
8.00.0679_enu.exe (about 10MB).
The patch mostly fixes buffer overrun problems that allow a hacker to exploit
SQL Server and gain full control of our server. If proper security is
implemented, then the problems listed in this cumulative patch can be lessened.
There is also an additional bug that allows a user with minimal access to the
server to create scheduled jobs that would run under the authority of the
account that starts SQL Server Agent. This could lead to a disruption in your
SQL Server service or allow a hacker access to your operating system or overall
network. Overall, there are 4 fixes that are marked critical in this cumulative
patch.
Due to these exploitation errors, Microsoft listed this patch as a critical
one to install. I would recommend though since there are so many files fixed in
this patch that you install it in development (as always hopefully) first to
make sure it doesn't cause any regressions in your application.
Unfortunately, Microsoft doesn't even include the simplest of install tools.
Instead, you'll have to manually backup and copy the files to their individual
locations and then apply the appropriate SQL scripts. If you're applying the
patch into an environment with replication, make sure as with any service pack
or hot fix that you apply it first to the Distributor, then Publisher and
finally the Subscribers. Once you download the patch, extract it to folder then
open the readme.txt file. The readme.txt file contains step-by-step instructions
on how to apply the patch and roll it back if necessary.
If you haven't developed a batch file or VBScript to deploy the patch, you
can count on it taking at least 10 minutes per server in your environment (15
minutes in a cluster). You will have to stop the SQL Server services while you
overwrite the files and then start it up again once the files have been copied
over. No reboot is required though. If you have a deployment batch file or
script, you can have it complete in less than 5 minutes per server so it's worth
spending a few hours creating a script if you have more than a dozen or so
servers.
Since service pack 3 for SQL Server 2000 is almost complete for beta,
Microsoft states in their security bulletin that these fixes may not be included
until service pack 4 of SQL Server, which should probably release late-Spring of
next year. Hopefully, they do change their stance and include it in the upcoming
service pack 3.
Watch our homepage to see the latest news on hot fixes in the Quick Info
area. If you have any questions or problems, please post in our
Service Pack forum.
