Qsorb
asked on
PCI COMPLIANCE AND SQL 2000 SP4
I just installed SQL SP4, mainly because of the three issues below addressed by Trustwave for PCI compliance and SSL operation, which is my main concern for this question.
Vulnerability in Windows Common Controls Could Allow Remote Code Execution in (MS12-027 CVE-2012-0158, (MS12-060) CVE-2012-1856, and (MS09-004) CVE-2008-5416.
My main question is, are these vulnerabilities eliminated with SQL 2000 SP4 or do I need to address them individually with hot fixes? Or is there no SP4, just SP3?
For some background:
We're running Microsoft SQL 2000 Server and will not upgrade at this time.
SQL QUERY Analyzer: Select @@version
Shows this exactly:
"Microsoft SQL Server 2000 - 8.00.2066 (Intel X86) May 11 2012 18:41:14 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)"
Guess that's Service Pack 2,, the OS, not SQL and the last SP issued for 2003 R2, right? Then where do I find the SP version for SQL or has the log below just answered it?
My SYSTEM does report SP2 installed for Windows Server 2003 R2.
Here's more info I've found as I tried to install SP4.
Summary.txt in windows directory:
Product instances were disqualified due to build version mismatch
Exit Code Returned: 11203
Mismatch? Strange.
sqlsp.log:
This machine has SQL Server 2000 SP4 already installed
Version of installed Service Pack: 8.00.2039
MSSQLSERVER has a newer version of Service pack installed.
Setup will now exit.
Well, that sounds great, "2000 SP4 already installed", except for the report above stating I still have SP2.
SQL Server is starting at priority class 'normal'(2 CPUs detected).
SQL Server configured for thread mode processing.
Performance monitor shared memory setup failed: -1
Various event or install log reports:
Product: Microsoft SQL Server Desktop Engine -- The instance name specified is invalid.
and
Product: Microsoft SQL Server Desktop Engine -- No version of MSDE was found to upgrade.
and
Product: Microsoft SQL Server Desktop Engine -- The instance name specified is invalid.
and
Faulting application upgrade.exe, version 2000.80.760.0, faulting module mfc42u.dll, version 6.6.8064.0, fault address 0x0004b62a.
and
SQL Server 7.5 Upgrade Wizard encountered a problem and needed to close.
Error signature:
szAppName : upgrade.exe szAppVer : 2000.80.760.0 szModName : mfc42u.dll
szModVer : 6.6.8064.0 offset : 0004b62a
C:\DOCUME~1\ADMINI~1\LOCAL S~1\Temp\1 \WER44fc.d ir00\upgra de.exe.mdm p
C:\DOCUME~1\ADMINI~1\LOCAL S~1\Temp\1 \WER44fc.d ir00\appco mpat.txt
Vulnerability in Windows Common Controls Could Allow Remote Code Execution in (MS12-027 CVE-2012-0158, (MS12-060) CVE-2012-1856, and (MS09-004) CVE-2008-5416.
My main question is, are these vulnerabilities eliminated with SQL 2000 SP4 or do I need to address them individually with hot fixes? Or is there no SP4, just SP3?
For some background:
We're running Microsoft SQL 2000 Server and will not upgrade at this time.
SQL QUERY Analyzer: Select @@version
Shows this exactly:
"Microsoft SQL Server 2000 - 8.00.2066 (Intel X86) May 11 2012 18:41:14 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)"
Guess that's Service Pack 2,, the OS, not SQL and the last SP issued for 2003 R2, right? Then where do I find the SP version for SQL or has the log below just answered it?
My SYSTEM does report SP2 installed for Windows Server 2003 R2.
Here's more info I've found as I tried to install SP4.
Summary.txt in windows directory:
Product instances were disqualified due to build version mismatch
Exit Code Returned: 11203
Mismatch? Strange.
sqlsp.log:
This machine has SQL Server 2000 SP4 already installed
Version of installed Service Pack: 8.00.2039
MSSQLSERVER has a newer version of Service pack installed.
Setup will now exit.
Well, that sounds great, "2000 SP4 already installed", except for the report above stating I still have SP2.
SQL Server is starting at priority class 'normal'(2 CPUs detected).
SQL Server configured for thread mode processing.
Performance monitor shared memory setup failed: -1
Various event or install log reports:
Product: Microsoft SQL Server Desktop Engine -- The instance name specified is invalid.
and
Product: Microsoft SQL Server Desktop Engine -- No version of MSDE was found to upgrade.
and
Product: Microsoft SQL Server Desktop Engine -- The instance name specified is invalid.
and
Faulting application upgrade.exe, version 2000.80.760.0, faulting module mfc42u.dll, version 6.6.8064.0, fault address 0x0004b62a.
and
SQL Server 7.5 Upgrade Wizard encountered a problem and needed to close.
Error signature:
szAppName : upgrade.exe szAppVer : 2000.80.760.0 szModName : mfc42u.dll
szModVer : 6.6.8064.0 offset : 0004b62a
C:\DOCUME~1\ADMINI~1\LOCAL
C:\DOCUME~1\ADMINI~1\LOCAL
It does appear you have SQL 2000 SP4 installed. Yes, NT 5.2 SP2 is the OS. SQL 2000 SP4 is specifically version 8.00.2039 (Build 2039 - you have Build 2066, so there are post-SP4 updates installed). Check out http://sqlserverbuilds.blogspot.com/ for detailed build numbers.
Hi,
Is an upgrade to SQL 2008R2 or SQL 2012 on the cards? SQL 2000 and SQL 2005 are end of life.
Regards
David
Is an upgrade to SQL 2008R2 or SQL 2012 on the cards? SQL 2000 and SQL 2005 are end of life.
Regards
David
ASKER
>Yes, NT 5.2 SP2 is the OS
But what about the PCI issues? That's my main reason for asking the question. I need to get compliant again soon. So they can then look for something else to gripe about!
But what about the PCI issues? That's my main reason for asking the question. I need to get compliant again soon. So they can then look for something else to gripe about!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I just installed the patch and will see what happens on the next Trustwave pci scan.
Thanks for your help!
Thanks for your help!