Critical SQL Server Patches for Meltdown and Spectre

  • david.abram - Tuesday, January 9, 2018 7:09 AM

    Caution needs to be aired when  following the recommendations in the SQL KB article  (https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server) when you are using hosting a SCCM Config Manager database.

    A Technet blog says (link below);

    • Running SQL Server with CLR enabled (sp_configure ‘clr enabled’, 1)
    • Using Linked Servers (sp_addlinkedserver)

    Link: https://blogs.technet.microsoft.com/configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilities/

    I hope that helps.

    On what you quoted, I wonder what the heck it is that they actually mean.  They really need to not assume that people know exactly what they're talking about for this problem because Mom'n'Pop need to fix their stuff, as well.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Updated with 2008 / 2008R2 patches

  • And now I can finally start testing the 2012 update. https://www.microsoft.com/en-us/download/details.aspx?id=56490

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk

  • Thanks, post updated.

  • Any downsides in performance that is actually encountered when patches are applied ?

    ______________________________________________________________________________________________________________________________________________________________________________________
    HTH !
    Kin
    MCTS : 2005, 2008
    Active SQL Server Community Contributor 🙂

  • There isn't a general "performance is worse" statement that I've seen, or that I think can be made. The impact is very workload dependent. It seems some of the other db platforms have reported issues from customers, but I've seen quite a few SQL Server people note no impact.

  • Why isn't this SQL Server KB showing up in Windows Update?  I feel like these have showed up there in the past, though since we're on 2008 R2 it's been a while and I may be mis-remembering.

    Be still, and know that I am God - Psalm 46:10

  • david.gugg - Thursday, January 18, 2018 7:53 AM

    Why isn't this SQL Server KB showing up in Windows Update?  I feel like these have showed up there in the past, though since we're on 2008 R2 it's been a while and I may be mis-remembering.

    Windows Server 2012 R2's certainly did. As did the SQL Server 2012 SP3 GDR patch. If you're in a domain, and using WSUS, it might just be that your Network Administrator hasn't authorised the update yet.

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk

  • Not sure. I know the release was slow and staggered for patches.

  • Steve Jones - SSC Editor - Wednesday, January 10, 2018 10:20 AM

    Updated with 2008 / 2008R2 patches

    Speaking of 2008 and 2008R2, our organization was just beginning a project to apply the patches that were provided for TLS 1.2. 
    1008R2 - KB3045314 OR KB3045316, the difference being either a QFE or a GDR.

    I understand that none of these are cumulative updates. Knowing that, is there a way to tell whether 1) the Spectre/Meltdown GDR patch will overwrite the TLS 1.2 capability, and whether our choice of the QFE or GDR (for TLS 1.2) will make a difference?

    Thanks to all for sharing your expertise.
    - Mike

    Mike Hinds Lead Database Administrator1st Source BankMCP, MCTS

  • You should be on a particular branch of patching. The GDRs are usually for someone that is patched with the normal branching. If you look through the build list, you should see where your current build will fit and then decide whether you're on a GDR branch or not.

    There are really only two branches of code for a version. These are usually the current and previous SP levels. Any patches for CUs or security updates are merged into the branch at the current level, which is then released. If you applied later CUs than this security update, these CUs include the TLS patches. If you're back on 10.50.4042 or so, you're in SP2 and way behind.

    All patches are cumulative, but you enter the patch cycle in a different place, depending on whether you're current or not. I think QFEs sometimes go our early and GDRs come later, but they all get patched. I go by versions, not worrying too much about the QFE/GDR stuff, especially if I'm deploying later. I think once you've gone GDR , you're always on that branch of deployment.

  • Sorry, 2008 R2 build list: http://www.sqlservercentral.com/articles/SQL+Server+2008+R2/70092/

  • Steve Jones - SSC Editor - Monday, January 22, 2018 2:11 PM

    You should be on a particular branch of patching. The GDRs are usually for someone that is patched with the normal branching. If you look through the build list, you should see where your current build will fit and then decide whether you're on a GDR branch or not.

    There are really only two branches of code for a version. These are usually the current and previous SP levels. Any patches for CUs or security updates are merged into the branch at the current level, which is then released. If you applied later CUs than this security update, these CUs include the TLS patches. If you're back on 10.50.4042 or so, you're in SP2 and way behind.

    All patches are cumulative, but you enter the patch cycle in a different place, depending on whether you're current or not. I think QFEs sometimes go our early and GDRs come later, but they all get patched. I go by versions, not worrying too much about the QFE/GDR stuff, especially if I'm deploying later. I think once you've gone GDR , you're always on that branch of deployment.

    Our 2008R2 SQLs are all on the "final" SP3 (10.50.6000), and they have the QFE security patch (10.50.6529) for MS15-058. If indeed all patches are cumulative, then it should be safe to test in our DEV environment applying first the TLS 1.2 patch (10.50.6542), and follow up with Meltdown/Spectre GDR (10.50.6560).

    Did I mention I'll do that first in our DEV environment ? 🙂

    Thanks, Steve!

    Mike Hinds Lead Database Administrator1st Source BankMCP, MCTS

  • Has anyone had any issues enabling the two registry keys to enable the Meltdown / Spectre fixes for the OS?
    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
    I enabled these yesterday on one of my QA servers and it seemed to very adversely affect the performance of the server in general.
    OS:  Windows Server 2012R2
    SQL:  SQL 2014 SP2 CU7
    The server is a virtual machine in an VMware ESXi cluster, which I do not know if it has or has not been patched for the vulns (which, considering VMware pulled their patches, I'd presume not.)

    I've not put CU10 on SQL yet, as our anti-virus / anti-malware settings cause the update to report failure on the database engine, although SQL still starts up and reports the correct version.  Running the CU a second time seems to work, but I'd rather have it work the first time, every time, so I'm working to get the AV settings relaxed.

  • Question:
    Does it matter what order you do the OS patch and SQL Server patch?  Some of my development servers I plan to do the SQL Server patch first, then the SA will do the OS patch.

Viewing 15 posts - 16 through 30 (of 36 total)

You must be logged in to reply to this topic. Login to reply