locked
Unable to apply security patch MS12-027 to SQL Server 2008 R2 - 32bit RRS feed

  • Question

  • I am running MS SQL Server 2008 R2 Express for my system, along with windows 2008 server 32-bit (but not the R2).

    Microsoft's Security Bulletin MS12-027 links the SQL Server R2 patch to a "mscomctlocx2007-kb2598041-fullfile-x86-glb.exe" file, but this patch will not install on my server.

    I have verified that the mscomctl.ocx exists under my c:\windows\system32 folder, and it is version 6.1.97.82

    I don't have, or ever had any version of MS Office installed on my SQL server.
    The error that I get from the installer is: "There are no products affected by this package installed on this system."

    I would prefer to resolve this issue only as a Security Patch- only using MS12-027.  Otherwise, a Service Pack upgrade for SQL Server would bring many updates, and could actually create additional vulnerabilities.

    Thanks.

    Wednesday, May 30, 2012 5:05 PM

Answers

  • As I have explained earlier the Reporting Services folder comes with your tools installation, and I suspect the same applies to the Integration Services folder.

    Furthermore, you ran SQL Server Discovery Report and it not indicate that you have any of the two installed.

    Previously I suggested that you should check SQL Server Configuation Manager. If you have any of Reporting Services and Integration Services installed, you will see the services listed there.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Monday, June 4, 2012 9:54 PM
  • The Mscomctl.Ocx file is only created when any of the following 3 features are installed:

    • Analysis Services
    • Reporting Services
    • Integration Services
    Probably you don't have these features installed, because you are running Express Edition. If you have SQL Server 2008 R2 Express with Advanced Services, then you may have Reporting Services installed.
    • Edited by irusul Thursday, May 31, 2012 9:09 AM
    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Thursday, May 31, 2012 9:05 AM
  • I also have that Reporting Services Configuration Manager in my Start Menu. But I definitely do not have Reporting Services installed.

    I also have the two Integration Services item you mention, but in this I can't tell as I have SSIS installed. But I suspect that they are tools. I think a better place to determine what you have installed is the SQL Server Configuration Manager and see if you have Integration Services listed there.

    And, yes, I do have that OCX, but I also have Office 2010 on this machine.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Thursday, May 31, 2012 10:00 PM
  • Hi SKJung,

    Please check if you have AS RS or IS installed in your machine by checking Discovery Report.

    Click "Start"--All programs--Microsoft SQL Server 2008 R2--Configuration tools--SQL Server installation center--Tools--installed SQL Server features discovery report

    If any of them has been installed, it will be listed in the report.

    Or you can check it by checking service.

    Click "Start"--Administrative Tools--Services


    Best Regards,
    Iric
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Friday, June 1, 2012 6:08 AM
  • Looks like it was a false positive from my security tools.

    Thanks all for looking into this issue.

    • Marked as answer by SKJung Tuesday, June 19, 2012 6:21 PM
    Tuesday, June 19, 2012 6:21 PM

All replies

  • The Mscomctl.Ocx file is only created when any of the following 3 features are installed:

    • Analysis Services
    • Reporting Services
    • Integration Services
    Probably you don't have these features installed, because you are running Express Edition. If you have SQL Server 2008 R2 Express with Advanced Services, then you may have Reporting Services installed.
    • Edited by irusul Thursday, May 31, 2012 9:09 AM
    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Thursday, May 31, 2012 9:05 AM
  • I went under Start, All Programs, Microsoft SQL Server 2008 R2, and noticed  that there's a folder there called Integration Services, and another one called Configuration Tools.

    Under the folder Integration Services are Data Profile Viewer and Execute Package Utility.
    Under the folder Configuration Tools, is Reporting Services Configuration Manager.

    I also have Microsoft SQL Server 2008 R2 RTM - Management Studio Express installed.

    Since it appears that Integration and Reporting Services is installed, and that the Mscomctl.Ocx file exists, wouldn't that mean that my system is vulnerable to MS12-027?

    Thursday, May 31, 2012 12:34 PM
  • I also have that Reporting Services Configuration Manager in my Start Menu. But I definitely do not have Reporting Services installed.

    I also have the two Integration Services item you mention, but in this I can't tell as I have SSIS installed. But I suspect that they are tools. I think a better place to determine what you have installed is the SQL Server Configuration Manager and see if you have Integration Services listed there.

    And, yes, I do have that OCX, but I also have Office 2010 on this machine.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Thursday, May 31, 2012 10:00 PM
  • Hi SKJung,

    Please check if you have AS RS or IS installed in your machine by checking Discovery Report.

    Click "Start"--All programs--Microsoft SQL Server 2008 R2--Configuration tools--SQL Server installation center--Tools--installed SQL Server features discovery report

    If any of them has been installed, it will be listed in the report.

    Or you can check it by checking service.

    Click "Start"--Administrative Tools--Services


    Best Regards,
    Iric
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Friday, June 1, 2012 6:08 AM
  • I would recommend you to install the Service Pack instead. It will fix the some current bugs.

    http://support.microsoft.com/kb/2528583

    Friday, June 1, 2012 6:40 AM
  • Attached below is what I get when I run the SQL Discovery Report:

    The above may be hard to read, so I've decided to enter in more data here in the following format:

    Product, Instance, Feature, Edition and Version:

    - Microsoft SQL Server 2008 R2, MSSQLServer, Database Engine Services, Express Edition, 10.50.1600.1

    - Microsoft SQL Server 2008 R2, MSSQLServer, SQL Server Replication, Express Edition, 10.50.1600.1

    - SQL Server 2008, Management Tools - Basic, Express Edition, 10.51.2500.0

    • Edited by SKJung Friday, June 1, 2012 2:08 PM updated
    Friday, June 1, 2012 12:42 PM
  • No Reporting Services or Integration Services in sight. So the patch does not seem to apply to you.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Friday, June 1, 2012 9:45 PM
  • Erland:

    I have verified that the mscomctl.ocx exists under my c:\windows\system32 folder, and it is version 6.1.97.82

    Additionally, I went under Start, All Programs, Microsoft SQL Server 2008 R2, and noticed  that there's a folder there called Integration Services, and another one called Configuration Tools.

    - Under the folder Integration Services are Data Profile Viewer and Execute Package Utility.
    - Under the folder Configuration Tools, is Reporting Services Configuration Manager.

    Monday, June 4, 2012 12:46 PM
  • As I have explained earlier the Reporting Services folder comes with your tools installation, and I suspect the same applies to the Integration Services folder.

    Furthermore, you ran SQL Server Discovery Report and it not indicate that you have any of the two installed.

    Previously I suggested that you should check SQL Server Configuation Manager. If you have any of Reporting Services and Integration Services installed, you will see the services listed there.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Iric Wen Thursday, June 7, 2012 1:13 AM
    Monday, June 4, 2012 9:54 PM
  • Looks like it was a false positive from my security tools.

    Thanks all for looking into this issue.

    • Marked as answer by SKJung Tuesday, June 19, 2012 6:21 PM
    Tuesday, June 19, 2012 6:21 PM