Does SQL Server 2017 CU10 include CVE-2018-8273 hotfix?

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
5
down vote

favorite

1

Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).

How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?

Is the higher version number of CU10 enough to determine that?

NOTE: I've already installed the CVE-2018-8273 fix onto CU9.

sql-server sql-server-2017 patching

share|improve this question

edited Aug 29 at 19:18

a_horse_with_no_name

35.8k769107

asked Aug 29 at 16:25

John G Hohengarten

370211

add a comment | 

up vote
5
down vote

favorite

1

Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).

How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?

Is the higher version number of CU10 enough to determine that?

NOTE: I've already installed the CVE-2018-8273 fix onto CU9.

sql-server sql-server-2017 patching

share|improve this question

edited Aug 29 at 19:18

a_horse_with_no_name

35.8k769107

asked Aug 29 at 16:25

John G Hohengarten

370211

add a comment | 

up vote
5
down vote

favorite

1

up vote
5
down vote

favorite

1

1

Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).

How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?

Is the higher version number of CU10 enough to determine that?

NOTE: I've already installed the CVE-2018-8273 fix onto CU9.

sql-server sql-server-2017 patching

share|improve this question

edited Aug 29 at 19:18

a_horse_with_no_name

35.8k769107

asked Aug 29 at 16:25

John G Hohengarten

370211

Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).

How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?

Is the higher version number of CU10 enough to determine that?

NOTE: I've already installed the CVE-2018-8273 fix onto CU9.

sql-server sql-server-2017 patching

share|improve this question

edited Aug 29 at 19:18

a_horse_with_no_name

35.8k769107

asked Aug 29 at 16:25

John G Hohengarten

370211

share|improve this question

share|improve this question

edited Aug 29 at 19:18

a_horse_with_no_name

35.8k769107

edited Aug 29 at 19:18

a_horse_with_no_name

35.8k769107

edited Aug 29 at 19:18

a_horse_with_no_name

35.8k769107

35.8k769107

asked Aug 29 at 16:25

John G Hohengarten

370211

asked Aug 29 at 16:25

John G Hohengarten

370211

asked Aug 29 at 16:25

John G Hohengarten

370211

370211

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
5
down vote



accepted

Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:

Security fixes always roll-up to any subsequent CU. That's been the case for years.

And from another colleague at Microsoft:

all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.

With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION numbers.

Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.

I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.

All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.

share|improve this answer

edited Aug 29 at 18:03

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "182"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f216223%2fdoes-sql-server-2017-cu10-include-cve-2018-8273-hotfix%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
5
down vote



accepted

Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:

Security fixes always roll-up to any subsequent CU. That's been the case for years.

And from another colleague at Microsoft:

all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.

With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION numbers.

Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.

I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.

All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.

share|improve this answer

edited Aug 29 at 18:03

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

add a comment | 

up vote
5
down vote



accepted

Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:

Security fixes always roll-up to any subsequent CU. That's been the case for years.

And from another colleague at Microsoft:

all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.

With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION numbers.

Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.

I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.

All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.

share|improve this answer

edited Aug 29 at 18:03

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

add a comment | 

up vote
5
down vote



accepted

up vote
5
down vote



accepted

Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:

Security fixes always roll-up to any subsequent CU. That's been the case for years.

And from another colleague at Microsoft:

all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.

With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION numbers.

Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.

I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.

All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.

share|improve this answer

edited Aug 29 at 18:03

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:

Security fixes always roll-up to any subsequent CU. That's been the case for years.

And from another colleague at Microsoft:

all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.

With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION numbers.

Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.

I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.

All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.

share|improve this answer

edited Aug 29 at 18:03

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

share|improve this answer

share|improve this answer

edited Aug 29 at 18:03

edited Aug 29 at 18:03

edited Aug 29 at 18:03

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

answered Aug 29 at 17:14

Aaron Bertrand♦

144k19275462

144k19275462

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f216223%2fdoes-sql-server-2017-cu10-include-cve-2018-8273-hotfix%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email