I need a clarification on how below SQL Server service pack patching works.
Few of my servers are at below patch for SQL Server 2014 which has latest meltdown patch
12.00.5214
2014.120.5214.6
4057120 Security update for SQL Server 2014 Service Pack 2 GDR: January 16, 2018 – Security Advisory
ADV180002 CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
and some with below
12.00.5532
2014.120.5532.0
3194718 MS16-136: Description of the security update for SQL Server 2014 Service Pack 2 CU: November 8,
2016
2014.120.5532.0
version seems to be on higher build than one 2014.120.5214.6
but that patch seems old when checked as published in OCT 2016.
Do I still need to apply meltdown patch for those servers with build 2014.120.5532.0
or are they covered for meltdown.
Need some better understanding on this.
Best Answer
Ref:
On January 16, 2018
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
was released as a standalone patch. Build number12.00.5214
and file version2014.120.5214.6
. This patch was applicable to servers with service pack 2 and no CU installed. Because there are shops who do not want install cumulative updates but still wants to install the security hotfix.You can see it here.
One the same day the same patch was released as CU10 for those who wanted all cumulative update since service pack 2. Build number
12.00.5571
and file version2014.120.5571.0
.You can see it here.
Yes if you want to mitigate
mitigate speculative execution side-channel vulnerabilities
also know asMeltdown and Spectre
. In that case you will be applying CU10 which will include all updates you from12.00.5532
to12.00.5571
. Latest available update is CU14, build versin12.00.5600
.As a side not MS-136 was also release with a non-CU and CU version.