On February 11, 2020, Microsoft released security updates for SQL Server 2016, SQL Server 2014, and SQL Server 2012. These new SQL Server security updates have their own CVE numbers, with the severity rated as important. This update corrects an issue with SSRS, as described by Microsoft below:
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services if it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. To learn more about the vulnerability, go to CVE-2020-0618 and CVE-2019-1332.
What Train Are You On?
There are five different updates, depending on what version of SQL Server you are using and whether you are on the CU train or the GDR train for that version. If you have ever installed a CU for the Service Pack level you are on, you are on the “CU train”. If you have only installed GDR security updates on that Service Pack, then you are on the “GDR train”. On the other hand, once you jump on the CU train, you cannot go back to the GDR train for that SP level.
Personally, I think most organizations will be better off on the CU train, so that they get important bug fixes and feature improvements. You need to make sure you get the correct version of the update.
- Security Update for SQL Server 2016 SP2 CU11
- Security Update for SQL Server 2016 SP2 GDR
- Security Update for SQL Server 2014 SP3 CU4
- Security Update for SQL Server 2014 SP3 GDR
- Security Update for SQL Server 2012 SP4
This issue was seen as enough of a threat that Microsoft decided to push it out though Microsoft Update. If you have a SQL Server instance with internet connectivity and you have Windows Update configured to check for other Microsoft products (meaning you have Microsoft Update), you will be offered this update. Otherwise, you can download it manually.
Microsoft SQL Server Support Dates
SQL Server 2016 SP2 is still in Mainstream Support from Microsoft until July 13, 2021. Both SQL Server 2014 and SQL Server 2012 are in Extended Support, so they will only get security updates (like this one).
If you want to read more about these updates, I suggest you take a look at both CVE-2020-0618 and CVE-2019-1332. I think we should see SQL Server 2016 SP2 CU12 in the next week or so. It should include this update. Because of that, I would probably wait until that release until I started testing and deploying SQL Server 2016 SP2 CU12.