(Glenn’s Technical Insights… used to be part of our bi-weekly newsletter but we decided to make it a regular blog post instead so it can get more visibility. It covers interesting new hardware and software developments that are generally relevant for SQL Server).
July Release of Azure Data Studio
On July 11, 2019, Microsoft released Azure Data Studio 1.9.0. This release has a number of new features and improvements, as detailed in the Release notes. So far, Microsoft is keeping pretty close to a monthly release cycle.
New features and improvements include:
- SentryOne Plan Explorer extension for Azure Data Studio
- Improvements to Schema Compare
- Multiple Notebook Improvements
- Better SQL Server 2019 support
- Update Language Packs
- SQL Server Profiler extension improvements
- Visual Studio Code 1.35 updates
- Multiple bug fixes
Figure 1: Azure Data Studio 1.9.0
SQL Server Security Updates Released
On July 9, 2019, Microsoft released a GDR Security Update for all supported Service Packs for SQL Server 2014 and newer. This is for CVE-2019-1068, which is a remote code execution vulnerability. This is the complete description:
A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account.
To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted query to an affected SQL server.
The security update addresses the vulnerability by modifying how the Microsoft SQL Server Database Engine handles the processing of functions.
There are updates for SQL Server 2014 SP2, SQL Server 2014 SP3, SQL Server 2016 SP1, SQL Server 2016, and SQL Server 2017 RTM. For each SP level, there are two separate branches that each get a separate update. There is the GDR branch, which only gets Security Updates, and there is the CU branch, which gets all of the fixes and improvements in each CU (including security updates).
I think most organizations are better off on the CU branch, since they will get many more bug fixes and actually get product improvements and new features. The GDR branch will require less patching (since only security issues are fixed), so it may be a better choice for some organizations. If you are on the GDR branch, you need to be careful to only install GDR-only updates. If you install a CU on a GDR-branch instance, that will move you to the CU branch from then on.
You should also be aware that Microsoft is pushing this update out if you are running Microsoft Update on your machine. Microsoft Update is a superset of Windows Update, which will automatically download and install things like SQL Server security updates. This is not something you want happening on most Production SQL Server instances! It is much better to do a manual installation, at a time of your choosing, after you have tested the update on a non-production instance.
You should also be aware that Microsoft Update will probably trigger multiple reboots when it installs these SQL Server security updates. This is because the Windows OS updates will be installed first (which causes a pending reboot). Then, the SQL Server update will be installed (which may cause a pending reboot). Finally, if you have named instances on a machine, with different versions of SQL Server, you may have to reboot after the SQL Server update for each version. This is what you see in Figure 2.
Figure 2: Microsoft Update Dialog
Incredibly, I wrote one of these without talking about hardware or AMD!