"SQL Server 2022's First Update and Enhancements for Previou

SQL Server 2022 First Update: What You Need to Know About the February 2023 Security Patches

Microsoft released critical security updates for SQL Server in February 2023, covering every supported version from SQL Server 2014 through to SQL Server 2022. While SQL Server 2022's first Cumulative Update was still pending at the time, these security patches addressed five remote code execution vulnerabilities and several significant bugs that every SQL Server environment needed to address promptly.

If you're running any supported version of SQL Server, these updates were not optional. Remote code execution vulnerabilities are about as serious as it gets.

Where Was SQL Server 2022's First Cumulative Update?

At the time of these February 2023 patches, SQL Server 2022 had been in general availability for 91 days since its RTM (Release to Manufacturing) release, yet its first Cumulative Update had not yet shipped. That's worth noting because it left organisations running SQL Server 2022 in an awkward position: a brand-new version with known issues documented in the release notes, but no CU yet to address them.

Several features that were promoted as part of SQL Server 2022 were still in preview at this point, including Query Store for secondary replicas and failover capabilities with Azure SQL Database Managed Instances. If your organisation was planning to use those features in production, you were still waiting.

The security-only update for SQL Server 2022 RTM was available, which addressed the vulnerabilities listed below. But for bug fixes and preview feature graduation, the first CU was the target.

What Vulnerabilities Did These Updates Patch?

The February 2023 security updates addressed five CVEs across all supported SQL Server versions. These were not minor issues. Four of the five were remote code execution vulnerabilities, meaning an attacker could potentially execute arbitrary code on a vulnerable SQL Server instance.

Here is a summary of each CVE:

CVE-2023-21528 - SQL Server Remote Code Execution Vulnerability An authenticated attacker could exploit this vulnerability to execute code remotely on the target SQL Server. The attack vector requires network access and valid credentials, but that's a low bar in many environments where SQL Server authentication is widely distributed.

CVE-2023-21704 - Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability This vulnerability affected the ODBC driver itself, meaning the risk extended beyond the server to any client application using the ODBC driver to connect to SQL Server. Patch coverage needed to include client machines, not just the server.

CVE-2023-21705 - SQL Server Remote Code Execution Vulnerability A second server-side RCE vulnerability, separate from CVE-2023-21528. Both needed to be patched. Running one fix without the other left the instance exposed.

CVE-2023-21713 - SQL Server Remote Code Execution Vulnerability A third server-side RCE. At this point, the pattern was clear: the February 2023 update cycle carried an unusually high concentration of serious vulnerabilities.

CVE-2023-21718 - Microsoft SQL ODBC Driver Remote Code Execution Vulnerability A second ODBC driver vulnerability, distinct from CVE-2023-21704. Again, this affected client-side components, which often get overlooked when DBAs focus patching efforts purely on the server.

All five CVEs are documented on the Microsoft Security Response Centre at msrc.microsoft.com. Cross-reference your patch level against the MSRC advisory for each CVE to confirm whether your specific build was affected.

Which Bugs Were Fixed in These Updates?

Beyond the CVEs, the security updates addressed several notable bugs. Three of them are worth understanding in detail because they reflect real operational risks.

Statistics Memory Corruption (KB reference 2033045) An authenticated attacker could affect SQL Server memory by running a specially crafted CREATE STATISTICS or UPDATE STATISTICS statement. This is particularly concerning because statistics maintenance is a routine DBA task, and many environments run automated statistics update jobs. A malicious user with sufficient permissions could exploit this during a normal maintenance window, degrading query optimiser performance or causing instability.

Data Quality Services Privilege Escalation (KB reference 2029156) Any member of the DQS KB Operator role or higher could execute arbitrary code on the SQL Server host, running under the SQL Server service account. If your SQL Server service account has elevated Windows permissions (which it shouldn't, but often does in practice), this becomes a significant lateral movement risk. This bug affected environments using Data Quality Services, which is a feature that's often installed but rarely actively monitored.

ODBC Driver Memory Corruption During Server-to-Server Communication (KB reference 2120756) In specific circumstances, a memory corruption issue could occur in the ODBC driver when two SQL Server instances were communicating with each other, particularly when the target server was running a down-level version of the Tabular Data Stream (TDS) protocol. The result was incorrect decoding of image data types on the client side. This one's subtle. It wouldn't necessarily cause obvious failures, but it could produce silent data corruption in applications passing image or binary data between linked servers.

Which SQL Server Versions Were Covered?

The February 2023 security updates covered every version of SQL Server still under Microsoft's support lifecycle at the time:

SQL Server 2022 (RTM security update)
SQL Server 2019 (CU19 + security update)
SQL Server 2017 (CU31 + security update)
SQL Server 2016 SP3 (security update)
SQL Server 2014 SP3 CU4 (security update)

If you were running SQL Server 2012 or earlier, those versions had already reached end of extended support and were not covered. Running an unsupported version means no CVE patches, ever. That's a compliance and security risk that no business justification can adequately offset.

What Should You Have Done?

The action sequence for these updates was straightforward:

Identify which SQL Server versions are running in your environment, including instances on application servers and developer workstations.
Check the current build number for each instance using SELECT @@VERSION.
Cross-reference against the relevant KB article for your version to confirm whether the security update had been applied.
Patch server-side components through Windows Update or by downloading the update directly from the Microsoft Update Catalogue.
Patch client-side ODBC drivers on any machine connecting to SQL Server, not just the servers themselves. CVE-2023-21704 and CVE-2023-21718 both required client-side patching.
Test in a non-production environment before rolling out to production where your change management process requires it.
Validate post-patch by confirming the build number has incremented and running a basic connectivity and query test.

The ODBC driver patching step is the one most commonly missed. Server teams patch the instance, but nobody tells the application team to update the drivers on the app servers. Weeks later, a vulnerability scan flags the unpatched drivers and the whole process starts again.

Key Takeaways

The February 2023 SQL Server security updates addressed five remote code execution vulnerabilities across all supported versions from SQL Server 2014 to SQL Server 2022. These were high-severity patches that required prompt action.
Two of the five CVEs affected the ODBC driver, not just the SQL Server instance itself. Client-side patching was required, not just server-side.
SQL Server 2022 was 91 days post-RTM without a Cumulative Update at the time, meaning some documented bugs and preview features remained unresolved until the first CU shipped.
The DQS privilege escalation bug (2029156) was a meaningful risk in environments where the SQL Server service account had elevated Windows permissions, a common misconfiguration that amplifies the impact of vulnerabilities like this.
Running end-of-life SQL Server versions such as SQL Server 2012 means no CVE coverage. Those instances received no patch for any of these vulnerabilities.

Keeping SQL Server patched is one of the most fundamental responsibilities in database administration, but it's also one of the most frequently deferred. If your organisation doesn't have a defined patch cadence and a clear process for tracking SQL Server build versions across your environment, you're likely running exposed instances without knowing it.

DBA Services provides SQL Server health checks and managed support for organisations across Australia. A health check will identify every SQL Server instance in your environment, confirm current patch levels, flag any instances running unsupported versions, and give you a prioritised remediation plan. Contact us to find out how we can help you stay on top of SQL Server patching before the next round of CVEs lands.

Need help with your SQL Servers?

Find out what's really going on inside your SQL Server environment.
Our health checks uncover critical misconfigurations in 97% of reviews.

Get an Obligation-Free Quote Call 1800 SQL DBACall 1800 775 322

“SQL Server 2022’s First Update and Enhancements for Previous Versions”

SQL Server 2022 First Update: What You Need to Know About the February 2023 Security Patches

Where Was SQL Server 2022's First Cumulative Update?

What Vulnerabilities Did These Updates Patch?

Which Bugs Were Fixed in These Updates?

Which SQL Server Versions Were Covered?

What Should You Have Done?

Key Takeaways

Need help with your SQL Servers?

More from the blog

Boost SQL Server Performance with AI-Assisted Query Optimisation Tools

Proactive Security for SQL Server: Mitigating CVEs and Protecting Your Data

Leverage SQL Server 2022's New Functions for Enhanced Data Analysis and Performance

SQL Server insights, monthly.