Unable to apply security patch MS12-027 to SQL Server 2008 R2 - 32bit

Question

I am running MS SQL Server 2008 R2 Express for my system, along with windows 2008 server 32-bit (but not the R2).

Microsoft's Security Bulletin MS12-027 links the SQL Server R2 patch to a "mscomctlocx2007-kb2598041-fullfile-x86-glb.exe" file, but this patch will not install on my server.

I have verified that the mscomctl.ocx exists under my c:\windows\system32 folder, and it is version 6.1.97.82

I don't have, or ever had any version of MS Office installed on my SQL server.
The error that I get from the installer is: "There are no products affected by this package installed on this system."

I would prefer to resolve this issue only as a Security Patch- only using MS12-027.  Otherwise, a Service Pack upgrade for SQL Server would bring many updates, and could actually create additional vulnerabilities.

Thanks.

Answer 1

The Mscomctl.Ocx file is only created when any of the following 3 features are installed:

• Analysis Services
• Reporting Services
• Integration Services

Probably you don't have these features installed, because you are running Express Edition. If you have SQL Server 2008 R2 Express with Advanced Services, then you may have Reporting Services installed.

Answer 2

I went under Start, All Programs, Microsoft SQL Server 2008 R2, and noticed  that there's a folder there called Integration Services, and another one called Configuration Tools.

Under the folder Integration Services are Data Profile Viewer and Execute Package Utility.
Under the folder Configuration Tools, is Reporting Services Configuration Manager.

I also have Microsoft SQL Server 2008 R2 RTM - Management Studio Express installed.

Since it appears that Integration and Reporting Services is installed, and that the Mscomctl.Ocx file exists, wouldn't that mean that my system is vulnerable to MS12-027?

Answer 3

I also have that Reporting Services Configuration Manager in my Start Menu. But I definitely do not have Reporting Services installed.

I also have the two Integration Services item you mention, but in this I can't tell as I have SSIS installed. But I suspect that they are tools. I think a better place to determine what you have installed is the SQL Server Configuration Manager and see if you have Integration Services listed there.

And, yes, I do have that OCX, but I also have Office 2010 on this machine.

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Answer 4

Hi SKJung,

Please check if you have AS RS or IS installed in your machine by checking Discovery Report.

Click "Start"--All programs--Microsoft SQL Server 2008 R2--Configuration tools--SQL Server installation center--Tools--installed SQL Server features discovery report

If any of them has been installed, it will be listed in the report.

Or you can check it by checking service.

Click "Start"--Administrative Tools--Services

---

Best Regards,
Iric
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 5

I would recommend you to install the Service Pack instead. It will fix the some current bugs.

http://support.microsoft.com/kb/2528583

Answer 6

Attached below is what I get when I run the SQL Discovery Report:

The above may be hard to read, so I've decided to enter in more data here in the following format:

Product, Instance, Feature, Edition and Version:

- Microsoft SQL Server 2008 R2, MSSQLServer, Database Engine Services, Express Edition, 10.50.1600.1

- Microsoft SQL Server 2008 R2, MSSQLServer, SQL Server Replication, Express Edition, 10.50.1600.1

- SQL Server 2008, Management Tools - Basic, Express Edition, 10.51.2500.0

Answer 7

No Reporting Services or Integration Services in sight. So the patch does not seem to apply to you.

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Answer 8

Erland:

I have verified that the mscomctl.ocx exists under my c:\windows\system32 folder, and it is version 6.1.97.82

Additionally, I went under Start, All Programs, Microsoft SQL Server 2008 R2, and noticed  that there's a folder there called Integration Services, and another one called Configuration Tools.

- Under the folder Integration Services are Data Profile Viewer and Execute Package Utility.
- Under the folder Configuration Tools, is Reporting Services Configuration Manager.

Answer 9

As I have explained earlier the Reporting Services folder comes with your tools installation, and I suspect the same applies to the Integration Services folder.

Furthermore, you ran SQL Server Discovery Report and it not indicate that you have any of the two installed.

Previously I suggested that you should check SQL Server Configuation Manager. If you have any of Reporting Services and Integration Services installed, you will see the services listed there.

---

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Answer 10

Looks like it was a false positive from my security tools.

Thanks all for looking into this issue.