Re: Microsoft Security Bulletin (MS00-014)

[grayburn () FIRSTAM COM (Rayburn, Gordon)]

Fyi, for those of you installing the SP2 BETA (or have already), this hotfix
will not work with the SQL7 SP2 Beta release.  The ums.dll does not have
functions that the patched sqlservr.exe requires.  It's understandable, but
MS doesn't make it known to the user that a higher version SP will/should
not work with a lower version hotfix.

Only tested on NT4 SP5

@@Version 7.00.835 -- SP2 Beta version.  ums.dll problem after installing
hotfix.
@@Version 7.00.780 -- Hotfix Version.
@@Version 7.00.699 -- SP1 no problems reported installing the hotfix.

Gordon Rayburn

---
Credco IS,
Sr. MSSQL DBA
---

> -----Original Message-----
> From: Microsoft Product Security [SMTP:secnotif () MICROSOFT COM]
> Sent: Thursday, March 09, 2000 1:53 PM
> To:   NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
> Subject:      Microsoft Security Bulletin (MS00-014)
>
> The following is a Security  Bulletin from the Microsoft Product Security
> Notification Service.
>
> Please do not  reply to this message,  as it was sent  from an unattended
> mailbox.
>                     ********************************
>
> Microsoft Security Bulletin (MS00-014)
> --------------------------------------
>
> Patch Available for "SQL Query Abuse" Vulnerability
> Originally Posted: March 08, 2000
>
> Summary
> =======
> Microsoft has released a patch that eliminates a security vulnerability in
> Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0. The
> vulnerability could allow the remote author of a malicious SQL query to
> take unauthorized actions on a SQL Server or MSDE database or on the
> underlying system that was hosting the SQL Server or MSDE database.
>
> Frequently asked questions regarding this vulnerability and the patch can
> be found at
> http://www.microsoft.com/technet/security/bulletin/fq00-014.asp
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
<snip>