MSDE - service packs and patches

From: Monterey, Christina (Christina.Monterey@EIA.DOE.GOV)
Date: 08/15/02

Date:         Thu, 15 Aug 2002 17:11:43 -0400
From: "Monterey, Christina" <Christina.Monterey@EIA.DOE.GOV>


If this is not a valid posting for BugTraq, please just let me know.

I am concerned that there are internet web servers out there running un-patched
versions of MSDE. This happens for 2 reasons:
1) you don't think MSDE is vulnerable to SQL attacks.
2) you can't get the service packs and security updates to install, so you leave
MSDE as-is.

More and more Windows database-dependant products require MSDE if you do not have
a SQL server. If your server is a web server and running MSDE you need to install
the service packs and security updates to protect this server. I know I had to
call Microsoft to get help (and BTW, the guy I got at Microsoft Support was
exceptionally helpful). With help, I did get the service packs and security
fixes installed. I am posting this in an attempt to help anyone else having
problems patching MSDE.

(but, maybe I am the only one...if so, Russ, please don't even bother to post

FYI - my problem was that I did not run the setup file from a command prompt and
specify the numeric install file (.MSI file). I chose to uninstall MSDE and
reinstall it in this way. Then, I ran SQL SP2 from the command prompt and
specified the numeric patch-install file (.MSP). I think it also helps to run the
install of MSDE from a directory on the hard drive (not from a network share or a
CD -- I also did this before the 2nd install). Non-DBAs may want to take the
effort to get familiar with the oslq utility too (runs transact SQL commands).
To run the security update, you need to know the instance name for your MSDE
install. The default instance name is MSSQLSERVER. If you are trying to install
the post-SP2 security rollup for SQL 2000 on MSDE 2000, you probably need to get
the new version of SERVPRIV.EXE from their support office.

If you have an install of MSDE that was customized from a vendor, none of the
info above may apply (sorry, you have to contact the vendor). This is because
vendors can add "merge-modules" to MSDE and these modules can change all the

hope this helps,
Chris Monterey