Why This Security Update Matters for SQL Server 2017 Analysis Services
If you're running SQL Server 2017 Analysis Services, you need to apply KB5001989 immediately. This security update patches CVE-2021-31201, a remote code execution vulnerability that allows an attacker to compromise your server by sending a specially crafted query. Left unpatched, an affected Analysis Services instance is exposed to full remote takeover.
Remote code execution vulnerabilities are about as serious as it gets. Unlike a privilege escalation or information disclosure flaw, RCE means an attacker doesn't need physical access, valid credentials, or an existing foothold on your network. If your Analysis Services instance is reachable, the vulnerability is exploitable. That's the operational reality that makes this update non-negotiable.
What Is CVE-2021-31201 and What Does It Affect?
CVE-2021-31201 is a memory handling vulnerability in SQL Server 2017 Analysis Services. The root cause is a failure to properly handle objects in memory during query processing. When Analysis Services receives a specially crafted query, it mismanages the associated memory objects in a way that an attacker can exploit to execute arbitrary code in the context of the service account.
The affected component is SQL Server 2017 Analysis Services specifically. This is not a vulnerability in the core SQL Server Database Engine, Reporting Services, or Integration Services. If you're running Analysis Services as part of a SQL Server 2017 installation, whether as a standalone instance or as part of a broader BI stack, you're affected.
The practical attack surface depends on your environment. Analysis Services instances exposed directly to the internet carry the highest risk. But internal instances aren't automatically safe. Lateral movement within a compromised network is a well-documented attack pattern, and an internal Analysis Services server reachable from a compromised workstation is still a viable target.
What Does the Security Update Actually Fix?
Microsoft's fix, delivered as KB5001989, corrects the way SQL Server 2017 Analysis Services handles objects in memory during query processing. The update modifies the internal memory management logic so that specially crafted queries no longer produce the exploitable condition.
This is a targeted patch. It doesn't introduce new features, change configuration defaults, or alter Analysis Services behaviour in any way that would affect normal operations. The only change is in how the engine handles the specific class of malformed queries that trigger the vulnerability.
That means there's no functional regression risk to worry about. Applying this patch won't break your cubes, change your MDX or DAX query behaviour, or affect connected client tools like Excel, Power BI, or SSRS. It's a surgical fix.
How Do You Apply the SQL Server 2017 Analysis Services Security Update?
Applying KB5001989 is straightforward. There are two supported methods.
Option 1: Microsoft Download Center
- Go to the Microsoft Download Center and search for KB5001989, or use the direct link in the official Microsoft support article at https://support.microsoft.com/en-us/topic/kb5001989-security-update-for-sql-server-2017-analysis-services-cve-2021-31201-e5e05b8c-7b2a-4a5e-a130-6c868e6d9441.
- Download the appropriate package for your SQL Server 2017 build.
- Run the installer on the server hosting Analysis Services.
- Restart the Analysis Services service as prompted.
- Verify the build number post-installation to confirm the patch applied successfully.
Option 2: SQL Server Update Manager (Windows Server Update Services or SCCM)
If your organisation manages patches through WSUS or Microsoft Endpoint Configuration Manager (formerly SCCM), KB5001989 should be available through your existing patch management pipeline. Approve and deploy it through your standard process.
Regardless of the method you use, test the update in a non-production environment first if one is available. The risk of regression is low for this particular patch, but following your standard change management process is always the right approach.
How Do You Verify the Patch Has Been Applied?
After applying the update, confirm it took effect. Connect to your Analysis Services instance using SQL Server Management Studio and run the following query against the server properties:
SELECT SERVERPROPERTY('ProductVersion')For Analysis Services specifically, you can check the build version through SSMS by right-clicking the Analysis Services instance in Object Explorer and selecting Properties. The build number should reflect the patched version as documented in KB5001989.
You can also verify through Windows Programs and Features or the SQL Server Installation Center, which will show the current patch level for each SQL Server component installed on the server.
Don't skip this step. Patch failures do happen, particularly in environments where Analysis Services was installed as a named instance or where the service account has restricted permissions. Confirming the build number takes 30 seconds and removes any doubt.
What If You're Running a Newer Version of SQL Server?
CVE-2021-31201 specifically affects SQL Server 2017 Analysis Services. If you've already migrated to SQL Server 2019 or SQL Server 2022, this particular CVE doesn't apply to those versions.
That said, if you're still running SQL Server 2017, it's worth understanding where you stand on the broader support timeline. SQL Server 2017 mainstream support ended in October 2022, and extended support runs until October 2027. You'll continue receiving security updates through extended support, but new feature development and non-security fixes are no longer part of the picture.
If your Analysis Services workloads are still on SQL Server 2017, patching is essential. But it's also worth having a migration roadmap conversation sooner rather than later. SQL Server 2022 Analysis Services brings meaningful improvements to query performance, compatibility, and supportability.
Why Do Organisations Delay Patching Analysis Services?
It's a fair question, and the honest answer is that Analysis Services often gets overlooked in patching cycles. The Database Engine tends to get the most attention because it's the component most people interact with directly. Analysis Services instances, particularly in organisations where the BI workload is managed by a separate team, can quietly fall behind on patches without anyone noticing.
There's also a misconception that Analysis Services is lower risk because it's "only" used for reporting and analytics. But the service account under which Analysis Services runs often has broad access to source data, connected databases, and in some cases, Active Directory. Compromising the service account through an RCE vulnerability gives an attacker a significant foothold.
Treating Analysis Services as a first-class citizen in your patch management process is the right approach. It's part of your SQL Server estate, and it deserves the same patching discipline as your production Database Engine instances.
Key Takeaways
- CVE-2021-31201 is a remote code execution vulnerability in SQL Server 2017 Analysis Services caused by improper memory object handling during query processing.
- KB5001989 is the security update that patches this vulnerability. It should be applied to all SQL Server 2017 Analysis Services instances immediately.
- The patch is available via the Microsoft Download Center or through WSUS and SCCM. It does not change Analysis Services functionality and carries minimal regression risk.
- Always verify the build number after patching to confirm the update applied successfully.
- Analysis Services is frequently overlooked in patching cycles. Treat it with the same urgency as your Database Engine instances.
Keeping your SQL Server estate patched and secure requires consistent attention across every component, not just the Database Engine. At DBA Services, our SQL Server health checks include a full review of patch levels across all installed SQL Server components, including Analysis Services, covering both security vulnerabilities and cumulative update status. If you're not confident your environment is fully patched, contact our team to arrange an assessment.
Need help with your SQL Servers?
Find out what's really going on inside your SQL Server environment.
Our health checks uncover critical misconfigurations in 97% of reviews.