MS08-040 Update

SQL Server Service Pack 2 CU7 (and CU8) Includes the Security Patch

If Cumulative Update 7 (CU7) or Cumulative Update 8 (CU8) has been installed for SQL Server 2005 Service Pack 2 (SP2) then there is no need to apply the patch.

The build for the patch is 9.00.3233.

Since the build for CU7 is 9.00.3239 and cumulative updates are cumulative, both CU7 and CU8 include this security patch.

Microsoft Releases Critical Fix for SQL Server 7.0-2005

MS08-040: Vulnerabilities in Microsoft SQL Server could allow elevation of privilege

Microsoft released a SQL security update today to address four vulnerabilities found in almost all versions of SQL Server including SQL Server 7.0, SQL Server 2000, SQL Server 2005, and the “Windows Internal” database on Windows Server 2003 and Windows Server 2008.

The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

This release is considered important and should be applied.

The vulnerabilities can be somewhat mitigated if the SQL service is not running as LocalSystem, or Local Adminstrator privileges.

The vulnerabilities are:

• Memory Page Reuse Vulnerability (CVE-2008-0085)
• Convert Buffer Overrun (CVE-2008-0086)
• SQL Server Memory Corruption Vulnerability (CVE-2008-0107)
• SQL Server Buffer Overrun Vulnerability (CVE-2008-0106)

The following TechNet article has more information about the vulnerabilities:

htttp://www.microsoft.com/technet/security/bulletin/MS08-040.mspx

The following KB article has more information about the patch:

http://support.microsoft.com/kb/941203

Windows Server 2008 Unauthenticated

Windows Server 2008 Unauthenticated Edition

As part of a IIS / SQL Server hosting project I was perplexed when "Windows Unauthenticated Edition" came up in a discussion. I had certainly never heard of it. Neither did had anyone else. Neither had Microsoft Australia.

Windows WebServer 2008

Designed to be used specifically as a single-purpose Web server, Windows Web Server 2008 delivers on a rock-solid foundation of Web infrastructure capabilities in the next-generation Windows Server 2008. Integrated with the newly re-architected IIS 7.0, ASP.NET, and the Microsoft .NET Framework, Windows Web Server 2008 enables any organization to rapidly deploy Web pages, Web sites, Web applications, and Web services.

Windows Server 2008 Unauthenticated

The unauthenticated version of Windows Server 2008 brings all of the power of Windows Server 2008 Enterprise Edition except for applications that require Windows authentication services such as Microsoft Exchange Server, Microsoft Windows SharePoint Services, and Microsoft Office SharePoint Server. It cannot run Active Directory, but in every other aspect it is a fully featured Enterprise Edition install.

Windows Server 2008 Standard

Windows Server 2008 Standard is the most robust Windows Server operating system to date. With built-in, enhanced Web and virtualization capabilities, it is designed to increase the reliability and flexibility of your server infrastructure while helping save time and reduce costs. Powerful tools give you greater control over your servers, and streamline configuration and management tasks. Plus, enhanced security features work to harden the operating system to help protect your data and network and provide a solid, highly dependable foundation for your business.

Windows Server 2008 Enterprise

Windows Server 2008 Enterprise delivers an enterprise-class platform for deploying business-critical applications. Help improve availability with clustering and hot-add processor capabilities. Help improve security with consolidated identity management features. Reduce infrastructure costs by consolidating applications with virtualization licensing rights. Windows Server 2008 Enterprise provides the foundation for a highly dynamic, scalable IT infrastructure.

Windows Server 2008 Datacenter

Windows Server 2008 Datacenter delivers an enterprise-class platform for deploying business-critical applications and large-scale virtualization on small and large servers. Improve availability with clustering and dynamic hardware partitioning capabilities. Reduce infrastructure costs by consolidating applications with unlimited virtualization licensing rights. Scale from 2 to 64 processors. Windows Server 2008 Datacenter provides a foundation on which to build enterprise-class virtualization and scale-up solutions.

The differences between the more "common" editions would seem to be:

Feature	Web	Unauthenticated	Standard	Enterprise
Maximum RAM (32-bit)	4 GB	64 GB	4 GB	64 GB
Maximum RAM (64-bit)	32 GB	2 TB	32 GB	2 TB
Network Access Connections (RRAS)	0	Unlimited	250	Unlimited
Network Access Connections (IAS)	0	Unlimited	50	Unlimited
Terminal Services Gateway	0	Unlimited	250	Unlimited
Remote Desktop Admin Connections	2	2	2	2
Can run Active Directory	No	No	Yes	Yes
Internet Information Service 7.0	Yes	Yes	Yes	Yes
SQL Server Express or better	Yes	Yes	Yes	Yes
SQL Server Workgroup or better	No	Yes	Yes	Yes
Hyper-V	No	No	No	No
Network Access Protection	No	Yes	Yes	Yes
AD Rights management Services(i) (RMS)	No	No	Yes	Yes
Terminal Services Gateway & RemoteApp(ii)	No	No	Yes	Yes
Server Manager	No	Yes	Yes	Yes
Windows Deployment Services	No	No	Yes	Yes
Server Core	Yes	Yes	Yes	Yes
Windows Powershell	Yes	Yes	Yes	Yes

 

Notes:

(i) Incremental RMS CALs required.

(ii) Incremental TS CALs required.

 

There are more "exotic" editions in the form of Windows HPC Server 2008, the Itanium versions, and the non Hyper-V equivalents of Standard/Enterprise/Datacenter.

 

For more information: http://www.microsoft.com/windowsserver2008/en/us/editions-overview.aspx