Navigation section

SQL Server CVE-2026-26115 Patch Guide: GDR vs CU Updates

  • Thread Author
Microsoft has issued coordinated security updates to fix CVE-2026-26115, a newly disclosed elevation of privilege (EoP) vulnerability in Microsoft SQL Server; if you run any supported SQL Server release, your immediate action is to identify the exact build you’re running, match it to Microsoft’s published GDR/CU mapping, and install the corresponding security update as soon as practical. (support.microsoft.com)

Blue data center with a CVE-2026-26115 shield and a patch puzzle.Background​

CVE-2026-26115 is part of Microsoft’s March 2026 security rollup that includes several SQL Server elevation-of-privilege advisories. The vendor has mapped the vulnerability to product builds and published per-release security packages (GDR and CU variants) so administrators can apply the update that matches their servicing path. Independent security trackers and vulnerability reviewers have classified the SQL Server EoP issues as important to high impact for on-premises and IaaS-hosted SQL instances, and the practical mitigation for all environments is patching the affected binaries. (support.microsoft.com)
Microsoft’s approach for these SQL Server security releases follows the longstanding split between the General Distribution Release (GDR) channel — small, security-only cumulative packages for a baseline — and the Cumulative Update (CU) channel — feature and cumulative functional updates that also include security fixes. Which path you choose depends on the update history and servicing baseline of your installation; Microsoft allows one migration from GDR to CU servicing, but warns that switching back is not supported. (support.microsoft.com)

Why this matters to you now​

  • An elevation-of-privilege vulnerability in SQL Server can let an authenticated or network-connected actor escalate their database-level or OS-level privileges depending on the context in which the vulnerable code runs. That makes these flaws particularly urgent on systems that host sensitive data or run under high-privilege service accounts.
  • Microsoft has already published targeted KB updates for supported SQL Server releases (RTM and Service Pack baselines), and the vendor’s official remediation is to install the appropriate update for your SQL Server build. Automated distribution channels (Windows Update / Microso installers are available. (support.microsoft.com)
  • If your SQL Server build is not covered in the vendor mapping, that generally means your release is no longer supported and will not receive a fix; the correct remediation in that case is to plan an upgrade to a supported baseline to receive security updates. (support.microsoft.com)

What’s affected (short summary of releases and KBs)​

Microsoft has released GDR and CU security updates that map to specific SQL Server builds. The vendor’s KB pages and Security Update Guide list the per-release packages; for example, the SQL Server 2019 CU32+GDR package for March 10, 2026 is published as KB5077469 and updates product build 15.0.4460.4. Similar KB entries exist for SQL Server 2022, 2025, 2017, 2016 and earlier supported baselines. Deploy the matching KB for your build. (support.microsoft.com)
Note: Microsoft’s mapping tables and the Security Update Guide are the canonical source for which KB or CU corresponds to a given version/build. Cross-checking the mapping is non-optional; installing the wrong channel (GDR vs CU) can produce servicing mismatches. (support.microsoft.com)

Immediate steps you must take — a concise playbook​

  • Identify the SQL Server instance(s) and their exact build numbers.
  • Run SELECT @@VERSION; and SELECT SERVERPROPERTY('ProductVersion'), SERVERPROPERTY('ProductLevel'), SERVERPROPERTY('Edition'); on each instance to collect the canonical product version and build. These commands return the exact version metadata Microsoft uses for KB mapping.
  • Consult Microsoft’s mapping for CVE-2026-26115 and find the KB/packet that corresponds to your build and servicing channel (GDR or CU). The Microsoft Security Update Guide and the per-product KB pages are authoritative. (support.microsoft.com)
  • If you are on a supported build that has an available GDR or CU, schedule a controlled deployment: test in a non-production environment, take backups, and stage the update via your usual deployment tooling (WSUS, SCCM, Microsoft Update Catalog, or manual installer). (support.microsoft.com)
  • If your build is unsupported (no mapping), schedule an upgrade to a supported baseline immediately so you can receive security fixes. (support.microsoft.com)
  • If you cannot patch immediately, apply compensating controls to reduce exposure (network isolation, least-privilege service accounts, enhanced monitoring and auditing — details below).
Each of the above steps is non-negotiable for production deployments. The next sections expand on how to do each step safely.

How to determine which update (GDR vs CU) you should install​

Understand the two servicing tracks​

  • GDR (General Distribution Release): Security-only packages for a given baseline; ended for installations that follow the GDR servicing path. (support.microsoft.com)
  • CU (Cumulative Update): Contains both security fixes and functional fixes; installs a newer cumulative build and is intended for installations that intentionally track CUs. (support.microsoft.com)
If your SQL Server instance has historically applied only GDR updates, continue on the GDR path and install the matching GDR package. If you have applied CUs in the past, install the CU package instead. Be aware that once you move from GDR servicing to CU servicing by applying a CU package, Microsoft states you cannot revert to GDR path for that installation — it’s a one‑way switch. Plan accordingly. (support.microsoft.com)

Mapping your product version to the right package​

  • Run the version queries described above and collect the ProductVersion value.
  • Use Microsoft’s Security Update Guide entry for CVE-2026-26115 and the per-release KB pages to find the KB that lists the exact ProductVersion or version-range that your server falls into. The KB text explicitly lists the build range and which update to apply. (support.microsoft.com)
  • If you manage many instances, script the inventory (PowerShell + Invoke-Sqlcmd, or dbatools’ Invoke-DbaQuery) to collect builds and automate the mapping step. Community tooling references and Microsoft Learn guidance recommend this approach for large estates.

Step-by-step: Patching checklist (detailed)​

Pre-patch tasks (do these first)​

  • Take full backups (system and user databases) and a copy of the master database, as well as the SQL Server configuration (sp_configure output, SQL Agent jobs exports). This is mandatory before any server-level change.
  • Snapshot your VM (if running in a virtual environment) or document the storage-level recovery point.
  • Identify and notify stakeholders of expected downtime; many SQL Server binaries require service restarts, which can interrupt availability.
  • Export or capture the instance’s current registry/install metadata (Program Files paths and instance IDs) to speed troubleshooting if the installer does not detect the instance. Community posts show registry mismatches can block CU installs, so capturing that state is useful.

Test deployment​

  • Apply the selected GDR or CU in a lab that mirrors production (same OS patch level, service packs, and third-party agents).
  • Validate application connectivity, ODBC/OLE DB drivers, linked servers, replication, and any SQL Agent jobs. Some cumulative fixes touch replication upgrade paths and other engine behaviors; test these flows. (support.microsoft.com)
  • Confirm that client drivers (ODBC, OLE DB) used by apps remain compatible after the patch. Microsoft bundles many driver fixes inside these updates, but conservative testing is required for integrated apps. (support.microsoft.com)

Deployment​

  • Stage the update in waves: non-critical instances → test-critical → production-critical.
  • After applying the update, restart services if the installer requests it and validate instance startup through error logs and perf counters.
  • Run smoke tests: application queries, job runs, backups, replication health checks.
  • Monitor for anomalous behavior (errors, latency, permission failures) for 48–72 hours post-deployment; be ready to escalate to vendor support if unexpected regressions occur.

If you can’t patch immediately: short-term mitigations​

While the vendor-supplied patch is the definititing controls to reduce risk until the update can be deployed:
  • Network isolation: Restrict SQL Server access to only application and management subnets. Block direct access to the SQL port (TCP 1433) from untrusted networks. This reduces the ability of an attacker to interact with an exposed instance.
  • Least privilege: Ensure service accounts, application pools, and database principals run with the lowest privileges required. Remove unnecessary sysadmin membership where possible.
  • Audit and monitoring: Enable SQL Server auditing (or Extended Events) to log privileged account changes, successful logons to high-privilege roles, and creation of new logins. Feed these logs into your SIEM for alerting and retention.
  • Temporary access controls: Disable features or surface-area components you do not need (e.g., disable ad-hoc distributed queries if not used), and enforce MFA for management and privileged accounts where available.
Document each compensating control and the expected rollback once the patch is in place.

Detection and hunting guidance​

Prioritize detection of suspicious activity that could indicate attempted exploitation or misuse:
  • Monitor for unexpected ALTER USER, ALTER LOGIN, CREATE LOGIN, or sp_addsrvrolemember operations in the SQL Server audit trail; these are common post‑exploitation actions for privilege escalation events.
  • Correlate SQL Server audit logs with endpoint telemetry and AD logs for simultaneous privilege anomalies (e.g., new local admin account creation on the host plus elevated SQL logins).
  • Inspect SQL Server errorlog and Windows Event Log for unusual service restarts or access denials after the patch window, which can indicate regression or exploitation attempts.
  • Hunt for anomalous queries executed by low-privilege accounts that interact with high-privilege stored procedures or admin-only features.
Security vendors and vulnerability trackers recommend treating any detection of privilege-escalation indicators as high priority and initiating incident response containment steps.

Risks, gotchas, and operational caveats​

  • One-way servicing switch: If you apply a CU to an instance that has historically only taken GDR updates, you effectively switch servicing channels and cannot revert to GDR. This is a documented Microsoft servicing constraint — plan the switch deliberately. (support.microsoft.com)
  • Unsupported builds: If your SQL Server build is not listed in the KB mapping, you will not receive a fix for this CVE on that release; you must upgrade to a supported baseline to receive security updates. Microse build ranges and clarify end-of-support scenarios. (support.microsoft.com)
  • Driver and client compatibility: Although Microsoft bundles many driver fixes within the updates, client ODBC/OLE DB drivers in the environment may still require separate upgrades or reinstallation in some cases. Validate drivers in test before wide deployment. (support.microsoft.com)
  • Installer detection issues: Past CU installs have sometimes failed when instance registry entries are missing or when third‑party extensions alter the environment. If the installer fails to detect your instance, follow Microsoft’s troubleshooting guidance or capture the registry/installer logs for support. Community reports show this is a recurring operational friction point for SQL patching.
  • Kubernetes / Linux deployments: If you run SQL Server on Linux or containerized environments, follow the platform‑specific update commands and repository guidance to apply the appropriate CU packages. Microsoft’s KB pages include Linux update instructions. ([support.microsoft.cocrosoft.com/en-us/topic/kb5077469-description-of-the-security-update-for-sql-server-2019-cu32-march-10-2026-5ec2c609-35cb-483d-aa80-5e66821e5c97))

How Microsoft and independent trackers rated the risk​

Vendor advisory entries list the vulnerability classification (EoP) and map affected builds to KBs. Independent trackers included CVE-2026-26115 in their March 2026 coverage of Microsoft fixes and flagged the SQL Server EoP cluster as important, recommending immediate administrative action to patch affected systems. Use Microsoft’s Security Update Guide as the canonical mapping, and consult independent security blogs or ZDI briefings for community context and threat-level discussion. (support.microsoft.com)

Practical timeline and prioritization​

  • If your SQL Server instances are internet-exposed (directly reachable on the SQL port) or host sensitive production data, treat this as highest priority — schedule patching in the next maintenance window after testing.
  • For internal-only instances with robust network segmentation and restricted admin access, patch within a short, but reasonable, SLA (for example, within 7 calendar days), while maintaining compensating controls and heightened monitoring.
  • If you run many instances, use an automated, phased rollout: sample patch → canary in production → full roll out, with rollback playbooks and vendor support contacts prepared beforehand.

Example commands and inventory tips (operationally useful)​

  • Get canonical version metadata on each instance:
  • SELECT @@VERSION;
  • SELECT SERVERPROPERTY('ProductVersion') AS ProductVersion, SERVERPROPERTY('ProductLevel') AS ProductLevel, SERVERPROPERTY('Edition') AS Edition;
    These outputs are what Microsoft’s KB mapping expects; capture them before you change anything.
  • For estate-wide discovery, consider a PowerShell runbook that executes the SQL commands across instances (Invoke-Sqlcmd) or use dbatools to collect builds, then match the ProductVersion values against Microsoft’s published table. This speeds mapping for large environments.

What to do after patching​

  • Validate that the expected product version/build reported by SELECT SERVERPROPERTY('ProductVersion') matches the build listed in the KB. This confirms the update applied successfully. (support.microsoft.com)
  • Re-run application integration tests, scheduled jobs, and performance baselines.
  • Continue monitoring for anomalous behavior for at least a week post-deployment; patching can surface edge-case regressions in complex application environments.
  • Record the change in your CMDB and update any automated patch compliance reports.

When to call for help​

  • If the installer fails to detect an instance or errors with prerequisite checks, collect the setup logs and the instance registry keys before reaching out to vendor support. Community threads and Microsoft KBs show that missing registry keys or third-party agent changes commonly block installation and lengthen remediation time.
  • If post-patch behavior includes data corruption symptoms or replication breakage, escalate immediately with Microsoft support and your application vendor — do not attempt uncoordinated work on production databases.

Final verdict — practical advice you can act on now​

  • Do not delay: treat this as a patch-that-matters for any supported SQL Server instance in your estate. The vendor has published explicit KB packages mapped to builds; apply the one that corresponds to your installation after testing. (support.microsoft.com)
  • Inventory first, patch second. Capture ProductVersion from each instance, confirm the correct GDR/CU package from Microsoft’s mapping, and then follow a staged rollout plan with backups, test validation, and monitoring.
  • If you cannot patch immediately, isolate and harden the server, enforce least privilege, enable auditing, and watch for indicators of post-exploitation activity. Security researchers and vendors have echoed Microsoft’s advice: the fix is a software update; compensating controls are stopgaps, not replacements for patching.
  • Finally, if your SQL Server products are out of support and no KB mapping exists, plan and execute an upgrade to a supported baseline — unsupported versions will not receive fixes for CVE-2026-26115 or future vulnerabilities. (support.microsoft.com)
Patching SQL Server should be routine for any operations or security team — but it’s the details (correct package, GDR vs CU servicing history, driver compatibility, and testing discipline) that determine whether a rollout is safe and successful. Follow the mapping, test thoroughly, and prioritize exposure-reducing measures for any systems that cannot be patched immediately. (support.microsoft.com)
Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.
Back
Top