Microsoft recently announced a cumulative patch that addresses three new security vulnerabilities in SQL Server: named pipe hijacking, named pipe Denial of Service (DoS), and a new SQL Server buffer-overrun problem. These security holes can lead to system unavailability and elevation of privilege, letting external users take control of your SQL Server system and run unauthorized code. (If you haven't read Microsoft Security Bulletin MS03-031, available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-031.asp , take a moment right now to review the bulletin and take steps to rollout out the new patch.)
According to the security bulletin, the SQL Server 2000 security patch exists for SQL Server 2000 Service Pack 3 (SP3) and SP3a, but it isn't available for SP2. Microsoft confirmed that SP2 is subject to these security vulnerabilities, yet the bulletin states: "Microsoft tested SQL Server 7.0, MSDE 1.0, SQL Server 2000 SP3, SP3a, MSDE 2000 SP3 and MSDE (Windows) to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities." However, the company's Product Support Lifecycle Web site says, "Microsoft has listened to its customer feedback, and is pleased to announce a change in the Service Pack Support Policy. Customers can receive support for the current and immediately preceding service pack, rather than only the most current service pack." This statement implies that SP2, the service pack preceding the current SP3, should be supported. (To read more about Microsoft's service-pack support policies, see http://support.microsoft.com/default.aspx?scid=fh;en-us;lifecycle , paying special attention to the section "Service Packs and Security Patch Policy.") But a related page says that SQL Server SP4 will be the first service pack subject to this new policy. The link isn't obvious to find, but you can read the service-pack support policy for SQL Server at http://support.microsoft.com/default.aspx?id=fh;\[LN\];LifeSQLFAQ .
Although, according to information at this last link, Microsoft is technically within its support rights not to release a security patch for SP2, I don't agree with this decision. Let me summarize the facts as I see them. Three serious security vulnerabilities were recently found in SQL Server. Microsoft quickly released a patch for SQL Server 7.0 and SQL Server 2000 SP3 and SP3a but didn't release a patch for SQL Server 2000 SP2. My initial reaction to this situation was that Microsoft's recent statements indicating that the company "finally gets it" when it comes to enterprise security fall flat. I discussed the SP2 support issue with representatives from the SQL Server team, including Stan Sorensen, Microsoft director of product management for SQL Server.
Microsoft officials believe that SP3a addresses so many security issues (Slammer, in particular) that customers should make every effort to deploy this service pack as soon as possible. "It's absolutely in our customers' best interests to deploy Service Pack 3a," Sorensen stressed. "SP3a includes all the security fixes that were found during the 3-month security review as well as all updates that address Slammer. For this reason, we strongly recommend that customers move to SQL Server SP3a."
(The 3-month security review Sorensen refers to was a hiatus that the development team took last year to work on security issues; all code development stopped for 3 months as Microsoft looked for security problems in the SQL Server 2000 code base.)
Although I agree that customers should do whatever is necessary to be on SP3 (or SP3a), I still disagree with the decision not to roll out a patch for SP2. We've debated the service-pack upgrade issue many times in this space. I don't want to rehash all the arguments, but one of the most compelling reasons for many SQL Server customers not to upgrade to SP3 immediately is that their OEM software package doesn't support it. One of my customers runs a software product that the vendor says doesn't support SP3. Such customers are between a rock and a hard place when it comes to security threats because Microsoft will no longer patch SP2 as new security vulnerabilities arise.
"We don't want to give the impression that Microsoft doesn't care about its customers who are still on SP2," Sorensen said. "What we are saying is that customers who are still on SP2 are putting themselves at a higher risk by not making the move to SP3a." Although it appears that Microsoft isn't addressing a situation in which SQL Server customers might be subject to serious, known security vulnerabilities, Microsoft feels that its focus to get customers on SP3a will help customers avoid more serious issues over the long run.
To help address these SP2 concerns, Microsoft asked me to provide a list of customers or Independent Software Vendors (ISVs) that are unable to move from SP2 to SP3a. If you're facing this dilemma, please send me an email to explain your problem. I can't guarantee that your service-pack issue will be solved, but at least Microsoft will get an idea of how many customers are still at risk.