Does SQL Server 2017 CU10 include CVE-2018-8273 hotfix?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
5
down vote
favorite
Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).
How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?
Is the higher version number of CU10 enough to determine that?
NOTE: I've already installed the CVE-2018-8273 fix onto CU9.
sql-server sql-server-2017 patching
add a comment |Â
up vote
5
down vote
favorite
Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).
How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?
Is the higher version number of CU10 enough to determine that?
NOTE: I've already installed the CVE-2018-8273 fix onto CU9.
sql-server sql-server-2017 patching
add a comment |Â
up vote
5
down vote
favorite
up vote
5
down vote
favorite
Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).
How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?
Is the higher version number of CU10 enough to determine that?
NOTE: I've already installed the CVE-2018-8273 fix onto CU9.
sql-server sql-server-2017 patching
Microsoft released SQL Server 2017 CU10 KB4342123 (14.0.3037.1) yesterday. I tried looking through the Hotfixes included list, but didn't see any reference to the recently released security update for the remote code execution vulnerability hotfix KB4293805 CVE-2018-8273 (14.0.3035.2).
How can we determine if SQL Server 2017 CU10 includes the security hotfix KB4293805 CVE-2018-8273 or not?
Is the higher version number of CU10 enough to determine that?
NOTE: I've already installed the CVE-2018-8273 fix onto CU9.
sql-server sql-server-2017 patching
edited Aug 29 at 19:18
a_horse_with_no_name
35.8k769107
35.8k769107
asked Aug 29 at 16:25
John G Hohengarten
370211
370211
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
5
down vote
accepted
Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:
Security fixes always roll-up to any subsequent CU. That's been the case for years.
And from another colleague at Microsoft:
all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.
With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION
numbers.
Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.
I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.
All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
accepted
Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:
Security fixes always roll-up to any subsequent CU. That's been the case for years.
And from another colleague at Microsoft:
all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.
With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION
numbers.
Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.
I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.
All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.
add a comment |Â
up vote
5
down vote
accepted
Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:
Security fixes always roll-up to any subsequent CU. That's been the case for years.
And from another colleague at Microsoft:
all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.
With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION
numbers.
Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.
I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.
All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.
add a comment |Â
up vote
5
down vote
accepted
up vote
5
down vote
accepted
Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:
Security fixes always roll-up to any subsequent CU. That's been the case for years.
And from another colleague at Microsoft:
all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.
With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION
numbers.
Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.
I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.
All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.
Yes, the security fix is in the CU. Direct but private comment from a reliable source within Microsoft:
Security fixes always roll-up to any subsequent CU. That's been the case for years.
And from another colleague at Microsoft:
all CU servicing releases for a given baseline are 100% cumulative of all previous Security Updates, CUs, and On Demand hotfixes released to date for that baseline (RTM or SP). This is mechanically mandated by the fact that we use the same physical CU source repository, we do not have any fix specific release repositories, and we do not remove fixes once they are released.
With very few historical exceptions, cumulative updates always include the fixes in lower builds from the same branch, security or otherwise. Prior to SQL Server 2017, this could be different because of the way service packs were versioned (e.g. service pack 2 RTM has a higher build number than sp1 cu28 even though the latter is 6 months newer). But that is just a cosmetic thing - it still holds true for the branch, but it doesn't always hold true if you are ignoring service pack level and only comparing @@VERSION
numbers.
Has Microsoft explicitly documented anywhere that the security fix is included in CU10? I'd like to be able to prove to management that the fix is there.
I've asked multiple times for more transparency about what fixes are included (or not included) in a specific CU, especially when something like this happens -- a security hotfix with its own set of issues was released between CUs. They have taken the feedback and I do hope to see some official documentation at least on the Release Services Team blog posts announcing each new release.
All I can say is that's not a fast-moving machine over there, and both automated processes and lawyers can sometimes get in the way of what can be disclosed in automatically-generated content like CU KB articles. For now you're going to have to take my (and their) word for it.
edited Aug 29 at 18:03
answered Aug 29 at 17:14
Aaron Bertrandâ¦
144k19275462
144k19275462
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f216223%2fdoes-sql-server-2017-cu10-include-cve-2018-8273-hotfix%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password