One DBA's Ongoing Search for Clarity in the Middle of Nowhere


Yet Another Andy Writing About SQL Server

Thursday, October 11, 2012

Why I Love the SQL Server Community

As many of you are aware, a SQL Server security patch came out this week (MS12-070 - Vulnerability in SQL Server Could Allow Elevation of Privilege).

No, security patches are *not* why I love the SQL Server Community - it's what happened next:

 The Security Bulletin (MS12-070) sounds like this is a cross-site scripting exploit that only impacts SQL Servers running Reporting Services (SSRS), while the KB article (KB2754849) describes impact to almost every currently supported version of SQL Server (other than 2008 R2 SP2).

To add to the confusion, K. Brian Kelley (blog/@kbriankelley) put out a blog that basically described a cross-site scripting SSRS-only patch, while Aaron Bertrand (blog/@AaronBertrand) put out a blog that said "KB article says everything SQL Server is affected, so I'm patching everything."

Now what?  So I turned to Twitter:

This is the part that never ceases to amaze me - after my question, the following conversation rapidly ensued between two SQL Server MVP's that I have never met in person and don't even really know online (other than by reputation):

So my final insight is that (based on the file lists in the release) we should all probably patch everything (and Microsoft should clarify the KB *and* the Security Bulletin!)

Thanks to Brian and Aaron for your responses!

Of course, Brian went one step further during the conversation with a tweet to Microsoft Security (in which he made the common mistake of tagging me as sqlandy rather than DBA_Andy):  {-:

I repeat, I love the SQL Community - people give freely of themselves (try asking a question on Twitter to #sqlhelp and prepare to be amazed by who might answer your question) just to help each other out - why?  Because it's the right thing to do and because you never know when the other person will be there to help you out.

UPDATE - Brian is just too fast - while I was typing this he put out an updated blog in which he states that we should all patch even our non-SSRS SQL Servers.

No comments:

Post a Comment