From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_021A_01C2C931.B242D4E0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   Q317748 may have been published in October but it is older than that. =
 If you are simply claiming that the folks that published that old =
hotfix from before MS02-039 should have updated it to a current version =
of the DLL I agree.  This is a special case in that the later DLL =
contained a security fix.  If it had been updated with other fixes, it =
should not get updated.  The premise is that you very much try to avoid =
including other fixes in hotfixes because you want them to be as = narrowly
focused as possible.  It's the same premise that except for = security
fixes, people should not install all available hotfixes between = service
packs.

Rich

  "geo"  wrote in message
news:3e3ab8bd$1{at}w3.nls.net...
  "Rich"  wrote in message news:3e3ab22c$1{at}w3.nls.net...
  >>   I see no problem tracking the versions of files in updates.

  Read the progression of SQL server patches here and see if you can =
spot the
  problem, I'll even give you a clue, read all of (4).

  Geo.

  1. MS02-039 was the first Security Bulletin hotfix for SQL which
  addressed the vulnerability Slammer exploits. The affected file was
  ssnetlib.dll, and the first corrected version was 2000.080.0636.00. =
That
  was released at the end of June 2002.

  2. MS02-043 was released in August 2002, and it contained the same
  ssnetlib.dll as MS02-039.

  3. MS02-056 came along in October 2002, and it contained an =
ssnetlib.dll
  versioned 2000.080.0679.00.

  4. Q317748 was a SQL hotfix that was not a security bulletin. It
  addressed a handle leak that was introduced with SQL SP2. It was
  released in October 2002. I have had reports from people who have been
  running many SQL servers without that patch and have never encountered =
a
  problem. The specifics of the handle leak are such that it does not
  affect many installations.

  Unfortunately, Q317748 has a problem. Despite being released 3 months
  after the first SQL patch that corrected the vulnerability Slammer
  exploits, it contained the wrong version of ssnetlib.dll. Q317748
  contained 2000.080.0568.00.

  So if you had applied MS02-039, or MS02-043, or MS02-056 before =
Q317748
  came along, and then applied Q317748, you may have downgraded your
  ssnetlib.dll to a version that did not address Slammer. When you run
  Q317748 on a system that had an updated ssnetlib.dll, you would have
  been prompted that the file you were replacing was newer than the
  replacement (if you weren't doing this in unattended mode). If you =
said
  don't replace, you'd be fine, otherwise, you regressed.

  5. MS02-061 came along later in October 2002. It *did* contain the
  MS02-056 version of ssnetlib.dll, a version which addressed Slammer.
  Unfortunately, it did not include the ssmslpcn.dll from Q317748.

  6. SQL/MSDE SP3 came along January 2003. It contains updates for
  ssnetlib.dll and ssmslpcn.dll, both version 2000.080.0760.00.

  7. MS02-061 was re-released January 26th, 2003. The only change to it
  was that the ssmslpcn.dll from Q317748 (v2000.080.0568.00) was added =
to
  the previously released patch, and a script was wrapped around it to
  make it easier to install. As a result, MS02-061 now contains both the
  handle leak patch, and the Slammer patch, in one pre-SP3 package.


------=_NextPart_000_021A_01C2C931.B242D4E0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   Q317748
may have been =
published in=20
October but it is older than that.  If you are simply claiming that = the=20
folks that published that old hotfix from before MS02-039 should have = updated it=20
to a current version of the DLL I agree.  This is a special case
in = that=20
the later DLL contained a security fix.  If it had been updated =
with other=20
fixes, it should not get updated.  The premise is that you very =
much try to=20
avoid including other fixes in hotfixes because you want them to be as = narrowly=20
focused as possible.  It's the same premise that except for =
security fixes,=20
people should not install all available hotfixes between service=20
packs.
 
Rich
 

  "geo" <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote=20
  in message news:3e3ab8bd$1{at}w3.nls.net..."Rich"=20
  <{at}> wrote in message news:3e3ab22c$1{at}w3.nls.net...=
>>  =20
  I see no problem tracking the versions of files in =
updates.Read the=20
  progression of SQL server patches here and see if you can spot =
theproblem,=20
  I'll even give you a clue, read all of
(4).Geo.1. =
MS02-039 was=20
  the first Security Bulletin hotfix for SQL whichaddressed the=20
  vulnerability Slammer exploits. The affected file wasssnetlib.dll, =
and the=20
  first corrected version was 2000.080.0636.00. Thatwas released at =
the end=20
  of June 2002.2. MS02-043 was released in August 2002, and it =
contained=20
  the samessnetlib.dll as MS02-039.3.
MS02-056 came along in =
October=20
  2002, and it contained an ssnetlib.dllversioned=20
  2000.080.0679.00.4. Q317748 was a SQL hotfix that was not a =
security=20
  bulletin. Itaddressed a handle leak that was introduced with SQL =
SP2. It=20
  wasreleased in October 2002. I have had reports from people who =
have=20
  beenrunning many SQL servers without that patch and have never =
encountered=20
  aproblem. The specifics of the handle leak are such that it does=20
  notaffect many installations.Unfortunately,
Q317748 has a =
problem.=20
  Despite being released 3 monthsafter the first SQL patch that =
corrected=20
  the vulnerability Slammerexploits, it contained the wrong version =
of=20
  ssnetlib.dll. Q317748contained
2000.080.0568.00.So if you =
had=20
  applied MS02-039, or MS02-043, or MS02-056 before Q317748came =
along, and=20
  then applied Q317748, you may have downgraded yourssnetlib.dll to =
a=20
  version that did not address Slammer. When you runQ317748 on a =
system that=20
  had an updated ssnetlib.dll, you would havebeen prompted that the =
file you=20
  were replacing was newer than thereplacement (if you weren't doing =
this in=20
  unattended mode). If you saiddon't replace, you'd be fine, =
otherwise, you=20
  regressed.5. MS02-061 came along later in October 2002. It =
*did*=20
  contain theMS02-056 version of ssnetlib.dll, a version which =
addressed=20
  Slammer.Unfortunately, it did not include the ssmslpcn.dll from=20
  Q317748.6. SQL/MSDE SP3 came along January 2003. It contains =
updates=20
  forssnetlib.dll and ssmslpcn.dll, both version =
2000.080.0760.00.7.=20
  MS02-061 was re-released January 26th, 2003. The only change to =
itwas that=20
  the ssmslpcn.dll from Q317748 (v2000.080.0568.00) was added tothe=20
  previously released patch, and a script was wrapped around it =
tomake it=20
  easier to install. As a result, MS02-061 now contains both =
thehandle leak=20
  patch, and the Slammer patch, in one pre-SP3=20
package.

------=_NextPart_000_021A_01C2C931.B242D4E0--

--- BBBS/NT v4.01 Flag-4