For your joy (and especially for the joy of my customer :)) yesterday Microsoft has released a new Security Bulletin for SQL Server:
Microsoft Security Bulletin MS09-004 – Important
This update is marked as important, which stands for: “A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources”.
Systems with SQL Server 7.0 Service Pack 4, SQL Server 2005 Service Pack 3, and SQL Server 2008 are not affected by this issue.
This update will take your implementations at the following build levels:
- SQL 2005 SP2: 3077 (GDR) or 3310 (QFE).
Please note the security update is not included in CU11, which is on build 3301.
Next cumulative update for SQL Server 2005 (ie, CU 12 ETA mid Feb) will include this GDR.
- SQL Server 2000 SP4: 2282 (QFE).
For future reference, The Severity Rating System defines the following levels for vulnerabilities:
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
- Beatrice Nicolini -