If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!
Title: “Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.”
Severity = High
Details = Check Microsoft’s list of supported SQL Server versions http://www.microsoft.com/sqlserver/en/us/support/support-updates.aspx
To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities.
Check SQL Server version by running the following script:
If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding.
If SQL Server does not contain the latest security patches, this is a finding.
FIX: Upgrade SQL Server to the Microsoft-supported version.
Apply the latest SQL Server patches after evaluation of impact.
This fix is self-explanatory. Run the command above and see what version you are running. Go to SQL Server Updates (by Brent Ozar) and check if you have the latest Service Pack or Cumulative Update. If not, update. If so, close this “Not a Finding.”
*NOTE: Test any service packs or cumulative updates on a test / staging server first!