What are the differences between SQL Server 2000 Service Pack 3 (SP3) and SP3a?

Many customers remain confused about the differences between SP3 and SP3a. In particular, customers are unsure if they must apply SP3a to a server that has already been patched with SP3. The short answer is no; SP3 has the core of the security enhancements that make either service pack a crucial addition to every SQL Server currently running. Here are the important differences between SP3 and SP3a that might tempt you to install SP3a on top of SP3. Of course, servers that don't have either one should be upgraded to SP3a rather than SP3.

Microsoft released SP3a shortly after SP3, and the company lists three differences between the two service packs. First, you can apply SP3a to trial and evaluation versions of SQL Server. Historically, Microsoft has coded service packs in a way that prevents you from applying them to evaluation editions. Presumably, Microsoft intended this restriction to prevent customers from using evaluation copies in a live environment. Unfortunately, many sites hit by the Slammer worm were running evaluation editions for testing purposes. By being able to apply a service pack against an evaluation edition, customers can properly perform tests against the evaluation edition and be sure that the edition has all the latest fixes.

Second, Microsoft has rolled out Microsoft Data Access Components (MDAC) 2.71a, which fixes a memory leak, as part of SP3a. You can find additional information about SP3a and the MDAC components in the Microsoft articles "FIX: SQL Server Does Not Start and an Access Violation Occurs After You Install SQL Server 2000 Service Pack 3" (http://support.microsoft.com/default.aspx?scid=kb;en-us;814572) and "FIX—Performance Degradation and Memory Leak in the SQL Server ODBC Driver" (http://support.microsoft.com/default.aspx?scid=kb;en-us;814410).

Third, with SP3a installed, SQL Server will no longer listen on UDP port 1434 when all SQL Server Net-Libraries (with the exception of the shared memory Net-Library) are disabled. For SQL Servers that don't need networking support, this default setting provides an additional layer of protection against security vulnerabilities that probe for SQL Servers that are using existing, well-known communications ports.

Microsoft says that organizations that have already applied SP3 don't need to apply SP3a, although sites that haven't installed either service pack should apply SP3a rather than SP3. In fact, SP3 is no longer available from the Microsoft Web site. Note that determining which service-pack version you're running can be difficult. SP3 and SP3a both use the same names for files and downloads. And @@version and SERVERPROPERTY('ProductLevel') report the same version numbers for both service packs. The only way to tell the versions apart is to look in the Net-Library's ssnetlib.dll file. SP3's version number is 2000.80.760.0, while SP3a's value is 2000.80.766.0. You can learn more about SP3 by viewing the Microsoft Support WebCast "Microsoft SQL Server 2000 Service Pack 3" at http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc121002/wcblurb121002.asp. Although this WebCast is for SP3, not SP3a, these service packs are almost identical.