Benjamin Franklin once said, “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” With something as important as a database server, safety and security are often interchangeable. Although Franklin was right about striking a balance between security and liberty in national life, the last thing you want is a hacker taking liberties on your SQL Server 2000 database server.
Because Microsoft releases security patches and other hot fixes between Service Pack releases, it’s easy to let a patch or fix fall between the cracks. One missed patch can mean trouble for your network, though. Microsoft released the Cumulative Patch for SQL Server to help you keep your network’s security up to date. In this Daily Feature, I’ll introduce the patch and show you how to install it.
Roll it up
The cumulative patches Microsoft released for Windows NT, Windows 2000, and IIS are called “Roll-up Packages.” Although the Cumulative Patch doesn’t have the same name, it does the same thing as those Roll-up Packages. The Cumulative Patch For SQL Server provides a one-stop shop for all of the patches released for SQL Server 2000 since Microsoft shipped Service Pack 2 for SQL Server 2000.
The Cumulative Patch For SQL Server does more than just supply patches for SQL Server 2000. It also patches the Microsoft Data Engine (MSDE). MSDE is a database engine that’s built and based on SQL Server technology. It ships as part of several Microsoft products, including Microsoft Visual Studio and Microsoft Office Developer Edition. MSDE comes in two versions. MSDE 1.0 is based on SQL Server 7.0 technology, while MSDE 2000 is based on SQL Server 2000.
The Cumulative Patch For SQL Server works only for SQL Server 2000 and MSDE 2000. It doesn’t supply any fixes for MSDE 1.0 or earlier versions of SQL Server. Make sure you’re running the proper versions before applying the patch.
What does it fix?
Microsoft frequently updates the Cumulative Patch For SQL Server. As of this writing, Microsoft has released five versions of the Cumulative Patch For SQL Server. You should check frequently to make sure you’ve downloaded the latest version of the patch. When Microsoft ships Service Pack 3 for SQL Server 2000, it will include all of the fixes rolled up in the patch into the Service Pack.
Some of the problems addressed by Cumulative Patch For SQL Server include:
- Buffer overflow vulnerability where SQL Server encrypts credential information.
- Buffer overflow vulnerability that can occur during bulk inserts of data into SQL Server tables, and in the SQL Server 2000 Database Consistency Checkers (DBCCs).
- Privilege elevation vulnerability whereby SQL Server can accidentally store incorrect permissions on the Registry key that stores the SQL Server service account information.
- Buffer overflow vulnerability that can occur during SQL Extended Procedure Functions.
- Buffer overflow vulnerability that can occur when connecting to a remote data source.
By successfully exploiting a buffer overflow vulnerability, a hacker can execute arbitrary code on the database server. An elevation of privilege attack is equally scary. A successful elevation of privilege attack can grant rights to the hacker that are even higher than those of the system administrator, right up to full rights over the entire operating system.
Obtaining and installing the patch
You can download the Cumulative Patch for SQL Server by going to the SQL Server Security Update Web site. This site has detailed information about all of the security vulnerabilities covered by the patch.
As you’ll see, Microsoft includes download links to all previous versions of the patch as well as the latest one. You don’t need to download each file individually. Just obtain and install the latest version—it supersedes the previous versions. Microsoft supplies earlier versions of the patch for those network administrators who don’t like to apply all of the latest patches on a production server.
Microsoft includes links to several localized language versions of the patch, including Chinese, French, German, Korean, and Spanish. The English version, 8.00.0655_enu.exe, is 9.4-Mb long, so if you’re using a dial-up modem, the patch will take a little while to download.
Before you install the patch, you should check to make sure you’ve installed SQL Server 2000 Service Pack 2. The patch won’t install if you haven’t first applied the service pack. You can check to see if you’ve installed Service Pack 2 by using SQL Server’s Query Analyzer. Start Query Analyzer by clicking Start | Programs | Microsoft SQL Server | SQL Query Analyzer. When the analyzer starts, type SELECT @@VERSION in the Query window. After the query executes, check to make sure that the SQL Server version returned is equal to or greater than 8.00.532. If so, you’ve installed Service Pack 2 and can continue. If not, you must download and installSQL Server 2000 Service Pack 2 on your server.
If SQL Server 2000 Service Pack 2 is already on your server, you’re ready to go. Copy the 8.00.0655_enu.exe file to your server and run it. Like other roll-up packages, the installation is straightforward. Just follow the on-screen instructions. Don’t panic if your server displays a Digital Signature error screen. Just click OK and go on. Likewise, don’t worry if the patch stops the SQL Server 2000 service on your server—the patch must do so for the installation to be successful.
After the patch installs, you’re done. You don’t even have to reboot your server. You can go to the Services MMC on your server and manually restart the SQL Server service.