Friday, August 22, 2014

Security Updates released in MS14-044, and An Approach to Microsoft’s Incremental Servicing Model

On August 12th, 2014, another infamous ‘patch-Tuesday,’ Microsoft released a series of Security Updates for multiple versions of SQL Server, to deal with potential Denial of Service attacks and an exploit in Master Data Services. After attempting to make my way through hundreds of instances already, and all the respective environments, with a recent applicable Cumulative Update, the release of all these Security Updates has most definitely thrown a wrench in the patching plans. Here are the details for this specific bulletin. https://technet.microsoft.com/en-us/library/security/ms14-044.aspx

The question is, if you’re a DBA, how to you make sense of all the Cumulative Updates (CUs which contain critical on demand updates from clients), Service Packs (SP), Security Updates (SU), General Distribution Releases (GDR), and the acronym I have only noticed recently - QFE (most have heard of hotfixes, but this particular one means a Quck Fix [from] Engineering) updates. This is where this explanation of Microsoft`s Incremental Servicing Model from the SQL Server Team steps in to help, in fact, after 15 years of administering SQL Server, I have not found a page with such an updated description of how SQL is patched, and this is thanks to a recent visit from Felix Avemore, a Microsoft SQL Server Premier Field Engineer based in Quebec City.

For Microsoft Premier Field Engineers for SQL Server, it’s clear, your priority is to apply important Security Updates before anything else, but often those updates require the application of a CU or an SP as a pre-requisite, which makes patching a painful affair when you have the daunting task of updating 3-400 servers!  That is where updated/clear documentation, system backups, and checklists come in rather handy, and perhaps deeper recommendations from the vendor to validate registry keys if your system is in production and ultra-sensitive. If ever you arrive with a corrupt master, attempt restore but always remember you can rebuild the instance cleanly with the exact Configuration.ini file found within the setup bootstrap folder (please see a previous post on command line installs for more).
To decide which updates to apply, depends on what build you are at,
therefore for 2008-2014, here’s a quick guide:

SQL Server Version
General Distribution Release (GDR)
Quick Fix [from] Engineering (QFE)
2014
RTM
SP1 (without any CUs)
SP2 (..)
CU1 - CU2
SP1 CU1-11
SP2 CU1-13
2012
2008 R2
2008
SP3 (..)
SP3 CU1-CU17
              
Note that If you are on SQL 2014 RTM CU3, or SQL 2012 SP2 you are covered already at those build levels.

There are clear arguments, as laid out well by Glenn Berry here, that you should apply recent Cumulative Updates to maintain proper performance, stability, and regular maintenance of your SQL Server Instances.
Are QFEs cumulative? By their build level, it would appear so, and after reading several definitions, I can confirm that they are indeed cumulative hotfixes also.

Hope this clears up some of the muddy pathway you`ll find attempting to keep up with patches on SQL Server. 
Happy Patching


This post was given a mention in DatabaseWeekly.com 's edition of September 1st, 2014: