sqlskills-logo-2015-white.png

Checking Your SQL Server Instance for Spectre/Meltdown Patches

If you are running SQL Server 2008 through SQL Server 2017, you should be thinking about what you should be doing to protect your systems from the Meltdown and Spectre vulnerabilities. Microsoft has a number of KB articles that address this issue from several different perspectives. This is a good starting list:

SQL Server Guidance to protect against speculative execution side-channel vulnerabilities (SQL Server)

Windows Server guidance to protect against speculative execution side-channel vulnerabilities (Windows Server)

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities (Windows Client)

The basic guidance is that depending on the environment where you are running SQL Server (on-premises or not, virtualized or not, in a cloud IaaS VM or not) and whether you are using any open extensibility interfaces or not (things like some types of CLR assemblies, some types of linked servers, etc.), you are going to want to strongly consider patching several layers of your system. These may include:

  • Operating System patches
  • Registry changes
  • SQL Server patches
  • BIOS/UEFI updates
  • Possible changes in how/whether you use any open extensibility interfaces in SQL Server

The Microsoft guidance about SQL Server gives some pretty clear scenarios and guidelines for making the decision on what to patch or change.


Checking Your Operating System and Hardware

Once you have decided what to patch, the next issue is checking your patch and update status at all of these different layers of the system. Microsoft has a PowerShell script that lets you check the patch status of your operating system and your processor microcode (for Intel processors).

This Microsoft KB article explains this in more detail and has a link to download the PowerShell Module for operating systems prior to Windows Server 2016.

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

If you want to do a quick and easy check of a client operating system for an end-user (or your Mom) without having to deal with PoSH, you can download and run the InSpectre utility (with an easy GUI) to check the patch status of your operating system and your processor microcode.


Checking SQL Server

Finally, you need to check your SQL Server patch status. I have developed (and had a number of people help test) a T-SQL script that will check your SQL Server instance to see whether you have installed the relevant SQL Server patches or not. This script will work on SQL Server 2008 through SQL Server 2017 for on-premises instances or for Azure IaaS instances. This is not designed to work on Azure SQL Database. You can download it here.

Please let me know if you have any suggestions about this. I also want to thank the people who have tested this script and given me feedback!




2 thoughts on “Checking Your SQL Server Instance for Spectre/Meltdown Patches

Leave a Reply

Your email address will not be published. Required fields are marked *

Other articles

Imagine feeling confident enough to handle whatever your database throws at you.

With training and consulting from SQLskills, you’ll be able to solve big problems, elevate your team’s capacity, and take control of your data career.