Is there an accesible record or repository of information concerning security patches and updates which concern SQL Server (any version)?

Question

Hi I'm working on a thesis on SQL Injection and I want to discuss a series of security updates or patches that have been implemented to the SQL Engine (any version; i.e. before and after 2000 , etc) and how such patches have helped or not mitigate SQL Injection vulnerabilities and attacks against a database (directly or inderectly).

For example I heard that there used to be a problem in which a system could be compromised by adding more that a 1000 characters in the where clause, but such vulnerability was appropriately patched.

I would like to discuss some of this fixes and what they patched, etc.

Is there an accesible record or repository of information concerning security patches and updates which concern SQL Server, and where could I access it?

It really could be anything like: white papers, papers, vulnerability databases, etc.

I just figured that it would be a good idea to go right to the source before anything else.

Thank you,

Answer 1

Hi,

Good on you for doing a thesis on SQL injection.

Go in to the link http://www.microsoft.com/technet/security/Current.aspx and choose the prodcuts Sql server 2000 and Sql server2005 / various editions in the prodcut/technology dropdown box and set service pack as ALL . You will get all the vulnerability threat security pathces released by microsoft for fixing the issues.
I hope there no security update patches released for SQl server 2008.

---

Thanks, Leks

Answer 2

Hey thanks a lot for that reference it's just what I was looking for!