Another patch Tuesday release and this time were for multiple versions of SQL Server. Make sure you read the whole article before downloading the appropriate official fix for your environment.
On January 12, Microsoft released article KB4583468 as a response to CVE-2021-1236, a vulnerability that allows an authenticated attacker to be able to send data over network on a vulnerable Microsoft SQL Server instance running an extended events session, that could lead to access deny thus hurting your system availability directly as well as data confidentiality and integrity.
Which versions are affected and can be patched
All versions starting from SQL Server 2012 all the way up to the current version of SQL Server 2019.
Below a table with the versions that can patched and the link to the relevant download.
|MS KB #||SQL Server target||target baseline version||new product version||new file version|
|KB4583458||Security update for SQL Server 2019 RTM GDR||15.0.2000.5 - 15.0.2070.41||15.0.2080.9||2019.150.2080.9|
|KB4583459||Security update for SQL Server 2019 CU8||15.0.4003.23 - 15.0.4073.23||15.0.4083.2||2019.150.4083.2|
|KB4583456||Security update for SQL Server 2017 GDR||14.0.1000.169 - 14.0.2027.2||14.0.2037.2||2017.140.2037.2|
|KB4583457||Security update for SQL Server 2017 CU22||14.0.3006.16 - 14.0.3356.20||14.0.3370.1||2017.140.3370.1|
|KB4583460||Security update for SQL Server 2016 SP2 GDR||13.0.5026.0 - 13.0.5102.14||13.0.5103.6||2015.131.5103.6|
|KB4583461||Security update for SQL Server 2016 SP2 CU15||13.0.5149.0 - 13.0.5850.14||13.0.5865.1||2015.131.5865.1|
|KB4583463||Security update for SQL Server 2014 SP3 GDR||12.0.6024.0 - 12.0.6118.4||12.0.6164.21||2014.120.6164.21|
|KB4583462||Security update for SQL Server 2014 SP3 CU4||12.0.6205.1 - 12.0.6372.1||12.0.6433.1||2014.120.6433.1|
|KB4583465||Security update for SQL Server 2012 SP4 GDR||11.0.7001.0 - 11.0.7493.4||11.0.7507.2||2011.110.7507.2|
If you are not sure which is suited for you have a look at this post: SQL Server patching: GDR vs CU.
As always, test and then patch your production instances.
- KB4583468 – Microsoft SQL Server elevation of privilege vulnerability
- Comprehensive list of all SQL Server builds and updates