Link to home
Create AccountLog in
Avatar of Qsorb
QsorbFlag for United States of America

asked on

PCI COMPLIANCE AND SQL 2000 SP4

I just installed SQL SP4, mainly because of the three issues below addressed by Trustwave for PCI compliance and SSL operation, which is my main concern for this question.

Vulnerability in Windows Common Controls Could Allow Remote Code Execution in (MS12-027  CVE-2012-0158,  (MS12-060) CVE-2012-1856, and (MS09-004) CVE-2008-5416.

My main question is, are these vulnerabilities eliminated with SQL 2000 SP4 or do I need to address them individually with hot fixes? Or is there no SP4, just SP3?

For some background:

We're running  Microsoft SQL 2000 Server and will not upgrade at this time.

SQL QUERY Analyzer: Select @@version

Shows this exactly:
"Microsoft SQL Server  2000 - 8.00.2066 (Intel X86)   May 11 2012 18:41:14   Copyright (c) 1988-2003 Microsoft Corporation  Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)"

Guess that's Service Pack 2,, the OS, not SQL and the last SP issued for 2003 R2, right? Then where do I find the SP version for SQL or has the log below just answered it?

My SYSTEM does report SP2 installed for Windows Server 2003 R2.

Here's more info I've found as I tried to install SP4.

Summary.txt in windows directory:
     Product instances were disqualified due to build version mismatch
     Exit Code Returned: 11203

Mismatch? Strange.

sqlsp.log:

This machine has SQL Server 2000 SP4 already installed
Version of installed Service Pack: 8.00.2039
MSSQLSERVER has a newer version of Service pack installed.
Setup will now exit.

Well, that sounds great, "2000 SP4 already installed", except for the report above stating I still have SP2.


SQL Server is starting at priority class 'normal'(2 CPUs detected).
SQL Server configured for thread mode processing.
Performance monitor shared memory setup failed: -1

Various event or install log reports:
Product: Microsoft SQL Server Desktop Engine -- The instance name specified is invalid.
and
Product: Microsoft SQL Server Desktop Engine -- No version of MSDE was found to upgrade.
and
Product: Microsoft SQL Server Desktop Engine -- The instance name specified is invalid.
and
Faulting application upgrade.exe, version 2000.80.760.0, faulting module mfc42u.dll, version 6.6.8064.0, fault address 0x0004b62a.
and
SQL Server 7.5 Upgrade Wizard encountered a problem and needed to close.


Error signature:
szAppName : upgrade.exe     szAppVer : 2000.80.760.0     szModName : mfc42u.dll
szModVer : 6.6.8064.0     offset : 0004b62a

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\WER44fc.dir00\upgrade.exe.mdmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\WER44fc.dir00\appcompat.txt
Avatar of Aeriden
Aeriden
Flag of United States of America image

It does appear you have SQL 2000 SP4 installed.  Yes, NT 5.2 SP2 is the OS.  SQL 2000 SP4 is specifically version 8.00.2039 (Build 2039 - you have Build 2066, so there are post-SP4 updates installed).  Check out http://sqlserverbuilds.blogspot.com/ for detailed build numbers.
Avatar of David Todd
Hi,

Is an upgrade to SQL 2008R2 or SQL 2012 on the cards? SQL 2000 and SQL 2005 are end of life.

Regards
  David
Avatar of Qsorb

ASKER

>Yes, NT 5.2 SP2 is the OS
But what about the PCI issues? That's my main reason for asking the question. I need to get compliant again soon. So they  can then look for something else to gripe about!
ASKER CERTIFIED SOLUTION
Avatar of Brett Danney
Brett Danney
Flag of South Africa image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Qsorb

ASKER

I just installed the patch and will see what happens on the next Trustwave pci scan.

Thanks for your help!