Keeping in mind the recent vulnerability attacks patches like Spectre and Meltdown , I would like to patch my SQL Server 2014 SP2 (12.0.5000)
1.Description of the security update for SQL Server 2014 SP2 CU10: January 16, 2018 – SP2 CU10 KB4057117 12.0.5571.0
2.Description of the security update for SQL Server 2014 SP2 GDR: January 16, 2018 – SP2 GDR KB4057120 12.0.5214.6
Can anyone help me for below questions:
- Recently we patched our Windows 2012 R2 Standard servers . Is OS Patching different from SQL Sever patching or these patches are already included during monthly OS patching installed ?
- Since we have both CU10 and GDR , should I apply both ?
- Which one should I need to first apply GDR or CU 10 ?
Best Answer
You need both SQL and Windows patches, as well as CPU microcode updates, to be fully** protected.
GDR is meant to be security-only patches, whereas Cumulative Updates are bug fixes as well as security patches. Once you go from the GDR path on to the CU path, you're stuck there, i.e. you can't go back to GDR only.
(Confusingly, this latest Meltdown / Spectre update shows up on certain SQL Server versions as a GDR and CU update.)
If you are already on a CU, then stick with CU update.
** Note that Microsoft is rolling back the Meltdown / Spectre updates on Windows Update because there are some issues with certain CPUs, so it's hard to tell whether you were one of the lucky ones to get them while they were up. See the warning below.
Use this link to check if you're fully patched, using a PowerShell script from Microsoft.
The link includes the following statement:
And this warning: