none
GDR 3194714 (MS16-136) Blocks SQL 2014 SP2 CU2 install!

    Question

  • Is it correct that once security update (GDR 3194714) is installed on SQL Server 2014 SP2 that you can no longer install the latest CU?

    I've had this on 2 servers now. I have to first uninstall the security update (including finding the original media for sqltools.msi), then install the CU, then install the security update again, but the SP2 CU2 version.

    Seems like a bug to me, surely this cannot be what we're expected to do in order to keep SQL patched?

    Wednesday, December 7, 2016 5:37 PM

Answers

  • If you're interested in the distinct differences between GDR and CU updates, you can find more about it here: https://support.microsoft.com/en-us/kb/935897. In short, whenever we release a security or non-security critical or important update we will release builds for both our GDR branch and our CU branch, as instances can be on one servicing branch or the other, and we need to offer these security or critical updates to customers regardless of the branch they are on.

    One correction to what Lin stated above: You can apply a CU on top of a GDR provided the CU you're trying to apply has the security fix contained in the GDR that's already installed. If the CU you're applying does not contain the fixes in the GDR that are installed, SQL Server Setup will block the install. If we allowed the CU to be applied the security fix would be removed and your server would be vulnerable.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, December 9, 2016 7:01 PM
    Moderator

All replies

  • Hi ateece,

    >>Seems like a bug to me, surely this cannot be what we're expected to do in order to keep SQL patched?

    If I understand the ‘What are the GDR and CU update designations and how do they differ?’ section of MS16-136 correctly, CU and GDR are different upgrade servicing branches, which means you have to choose between them. That would explain why you cannot apply any CUs after you had applied  GDR 3194714 since they are from different service branch. In this case, I would suggest you stick with the security updates that is from the CU branch so you could apply further CU’s on it.

    If you have any other questions, please let me know.

    Regards,
    Lin

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, December 8, 2016 10:13 AM
    Moderator
  • If you're interested in the distinct differences between GDR and CU updates, you can find more about it here: https://support.microsoft.com/en-us/kb/935897. In short, whenever we release a security or non-security critical or important update we will release builds for both our GDR branch and our CU branch, as instances can be on one servicing branch or the other, and we need to offer these security or critical updates to customers regardless of the branch they are on.

    One correction to what Lin stated above: You can apply a CU on top of a GDR provided the CU you're trying to apply has the security fix contained in the GDR that's already installed. If the CU you're applying does not contain the fixes in the GDR that are installed, SQL Server Setup will block the install. If we allowed the CU to be applied the security fix would be removed and your server would be vulnerable.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, December 9, 2016 7:01 PM
    Moderator