Problem
On a recent trip out west we were informed via radio that there were a series of earthquakes occurring off the coast of Vancouver Island. We happened to be sailing directly over the location of these earthquakes and never noticed anything, although the scientists tasked with monitoring such events were fully aware of the situation. You may wonder what this has to do with SQL Server. Well, you may not have been aware of the latest security release for SQL Server 2005 unless you were monitoring releases of this nature. At any rate, KB948109 was released in July and provides protection against vulnerabilities that would allow elevation of privileges by an attacker. While this security update is only a portion of the greater Microsoft Security Bulletin MS08-040 released in July, I am only focusing on this Knowledge Base article relating to Microsoft SQL Server 2005. The vulnerability and the updated code actually encompasses all versions of SQL Server 7.0 to SQL Server 2005.
Solution
This update (Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege) should be applied at your earliest opportunity to all instances of SQL Server 7.0 to SQL Server 2005 according to Microsoft. Information relating to what actions are prevented by this update, applicable editions of SQL Server, the known issues with the update and directions for updating your instances of Microsoft SQL Server can be found at the following Microsoft-supported websites:
- Microsoft Security Bulletin MS08-040 – Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
- http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx
- High-level description of exposed vulnerability
- Listing of all software versions exposed to vulnerability
- Listing of all required service packs that must be installed prior to installing latest security update
- Security Update for SQL Server 2005 Service Pack 2 (KB948109)
- http://www.microsoft.com/en-us/download/details.aspx?id=13242
- Detailed explanation of known issues with the installation of the latest security update KB948109
- Information on how to obtain the update executables
- Highly-detailed listing of the file attributes associated with this release.
- Executables for Itanium, x64, and x86 security upgrade
It is important to note that prior to initiating the update that you should back up all of your system databases. I also recommend backing up the tail of all your transaction logs for each user database on the instance. I did not see reference to either of these steps in the documentation, but it is a good practice to get in the habit of whenever you make a change to your SQL Server instances. As with all SQL Server 2005 service pack installations and security updates to date, you will need to stop services that relate to files being updated on the server during the installation process. This update requires that you stop the SQL Services. This measure will also stop the SQL Server Agent service by default as it depends upon the base SQL Server service to be running. An added requirement of this update is that the SQL Server VSS Writer service must be running. You can disable the service after completion of the update if you so wish.
An interesting result (interesting is a synonym for unfortunate in MY dictionary if you’re playing along at home) of this update is that the settings for some of your SQL Server based services will be changed upon completion. My SQL Server, SQL Server Agent, and Full-Text Search services were all set to Manual Start Mode once the process completed. They were originally set to Automatic (for obvious reasons). Furthermore, while the Full Text Search service was up and running, SQL Server and SQL Server Agent services were not. I’ve also heard reports that SQL Server Reporting Services service is affected in a similar fashion: service stopped and set to Manual start. To resolve these issues, use the SQL Server Configuration Manager to change the service settings to Automatic and then start the affected services that are currently stopped.
You will notice after installation that running the SELECT @@version query will reflect the latest versioning for SQL Server which is 9.00.3068.00.
Next Steps
- Read through the information relating to this update in the links provided above.
- Analyze your environment and determine if your SQL Server instances have the current service pack and the latest security patches.
- Be sure to review the documentation for the latest upgrade to determine if it is cumulative with previous security upgrades or service pack releases.
Tim Ford is a Senior Database Administrator with MindBody in San Luis Obispo, California and is in the process of relocating west to the Pacific Northwest from Michigan. Since 2010 he’s produced Microsoft Data Platform training events branded as SQL Cruise from Alaska to the Caribbean and the Mediterranean at Tech Outbound, an events company specializing in technical training in unconventional locations. His SQL Cruise events take place on cruise ships in the Caribbean, Alaska, and the Mediterranean. Tim also is the Executive VP of Marketing for PASS, the global association for Microsoft data professionals. He also is a contributing author for itprotoday. Tim loves helping people find their true potential through education and building networks between Thought Leaders in various fields and those who are just starting on their careers or struggling to find their footing in established careers. If you’re looking for this sort of experience then check out the next SQL Cruise event taking place this August in Seattle.
- MSSQLTips Awards: Acheiver (75+ tips) – 2010
