I think there may be a mistake to the fixlets for KB4340355 and KB4293807.
The fixlet for CU2 on SQL Server 2016 SP2 (KB4340355) seems to have been incorrectly superseded by the August security patch (KB4293807) for remote code execution on SQL Server 2016 SP2 (CU).
Can someone please verify my logic? I still need to apply CU2 (KB4340355) before I can apply KB4293807 correct?
The MS catalog does show KB4293807 superseding KB4340355 under package details.
https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=0160a6a1-dd7b-4e91-93d3-c5c244d5128b
The download center page for it also mentions the following in the Install Instructions.
This update refreshes Microsoft SQL Server 2016 SP2 CU that have had a Cumulative Update applied (versions 13.0.5149(CU1).0-13.0.5153.0(CU2).
For Microsoft SQL Server 2016 SP2 instances that have not had any Cumulative Update applied (version 13.0.5026.0), please see 2016 SP2 GDR. After you install this update, you may have to restart your computer.
https://www.microsoft.com/en-us/download/details.aspx?id=57266&WT.mc_id=rss_alldownloads_all
From that snippet, it doesn’t sound like CU2 is a prerequisite.
Very interesting. So the link for the MS Catalog is very clear that KB4293807 supersedes KB4340355.
But where I get caught is that I have 2016 SP2 instances with no CUs applied and I need to apply CU2, but now I can’t because it is superseded. The paragraph you included from the install instructions states to use KB4293807 on instances with the CUs (1 or 2), and essentially to use KB4293802 for instances that have not had CUs applied. That’s great for the update…but what about if I want to apply a CU? Now I can’t. Right?
If KB4293807 were to supersede CU1 (KB4135048) and CU2 (KB4340355), then that would make this ‘security update’ a cumulative update and essentially what we would know as CU3, but it’s not…it’s a security update.
According to this CVE article in the chart under the FAQ section (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273), I would only apply KB4293807 if I have versions 13.0.5149.0 (CU1) - 13.0.5153.0 (CU2) installed, but I don’t so now I need to apply KB4293802 because I have version 13.0.5026.0 - 13.0.5099.0 installed.
So with CU2 now being superseded by a security update, how in the world do I get to a CU2 level if it’s been superseded and I can only apply KB4293807 if I have versions 13.0.5149.0 (CU1) - 13.0.5153.0 (CU2) installed?
I think the MS documentation is wrong.
Bump.
Agree or disagree?
Agree that the means to get to CU2 should still be available.
The fixlet for KB4340355 is now back in Patches for Windows version 3069 in its un-superseded form.
Thank you! I know we could have made a custom copy of this content and remedied a solution ourselves, but I’m never a fan of doing a custom copy for a ‘fix’.
Hi,
The same situation occurs for other versions (e.g. Microsoft SQL Server 2014). The security update KB4293807 is actually really superseding SP2 CU2 (KB4340355 - support.microsoft. com/en-us/help/4340355) and SP2 CU1. In the meanwhile the update has been expired and replaced by KB4458621 (support.microsoft. com/en-us/help/4458621) , which is also superseding SP2 CU2 and SP2 CU1. This update fixes security vulnerability CVE-2018-8273 (portal.msrc.microsoft. com/en-us/security-guidance/advisory/CVE-2018-8273), BUT it also contains the content from “KB4293807 – SP2 CU2-GDR”, as indicated by the column “This security update also includes servicing releases up through…” in the FAQ’s table. Now, this should be read as " the content of KB4293807 and ‘SP2 CU2-GDR’" (with “SP2 CU2-GDR” meaning “CU2 for SP2”-or-“some GDR level for SP2 and actually more than that, i.e. CU2 for SP2”, so without SP2 itself (see a bit further for extra details about the GDR part). With other words, if you have an installation of Microsoft SQL Server 2016 SP2 RTM (13.0.5026.0) or later this security update alone (KB4458621) should bring you to the latest version (13.0.5201.2, although the download page for the update (https://www.microsoft.com/en-us/download/details.aspx?id=57266&WT.mc_id=rss_alldownloads_all) talks about 13.0.5201.1 instead…), which is higher than the one associated with CU2 (13.0.5153.0). This is indeed somewhat weird for a “security update”, but I guess you must see this as a misnomer AND an inconsistency for Microsoft SQL Server. It’s actually “the latest CU + a ‘classic’/single security update”. This is not a real surprise if you take a look at the file sizes of
KB4458621 (672,5 MiB) and CU2 (670,9 MiB). I’ve doublechecked it myself: I had a Microsoft SQL Server 2016 RTM (13.0.5026.0) installation and by installing KB4458621 I ended with version 13.0.5201.2. Furthermore, the name of the latest security update is “Security Update for SQL Server 2016 Service Pack 2 CU (KB4458621)”, where “CU” refers to the CU servicing branch. If the security update was just a single update, the targeted servicing branch (CU or GDR) wouldn’t matter. So the designation “CU” actually implies the security update also contains the content of CU2 (and thus CU1 too). Otherwise said, not only CU1 and CU2 follow the CU branch, but also security update KB4458621. So even if the latter is not a CU itself, it does contain CU2 and it follows the CU servicing branch (I know, if this is all new to you, it can be VERY confusing, but it is actually logical). The download page for the update talks about “This update refreshes Microsoft SQL Server 2016 SP2 CU”, which should be intrepreted as “taking Microsoft SQL Server 2016 SP2 to the latest version in the CU servicing branch”, again implying CU2 is included.
On the other hand the table I mentioned a few lines ago also tells us the security update is applied if the current version is “13.0.5149.0 - 13.0.5161.0” (13.0.5149.0 is CU1). This means the update wouldn’t apply if the installation doesn’t contain a CU yet. In that case KB4293802 is needed: this is the same “security update”, but without the older CU stuff; it follows the GDR servicing branch, which is ONLY cumulative for critical updates and is valid only BEFORE CU1. TBH, I haven’t the faintest idea why that table doesn’t talk about “13.0.5026.0 - 13.0.5161.0” for KB4458621, especially because the text immediately under the table DOES say that the CU variant of the security update (KB4458621) can be applied on SP2 pre-CU1 AND I have succeeded in installing it on 13.0.5026.0. It could be a mistake in the documentation (“13.0.5149.0 - 13.0.5161.0” should actually be “13.0.5026.0 - 13.0.5161.0” for KB4458621) OR it’s correct, but you should interpret it in a quite unexpected way (like “13.0.5149.0 - 13.0.5161.0”, while you should implicitly also accept the range of the GDR variant of the security update (“13.0.5026.0 - 13.0.5099.0”)).
Attention: the download page for the update also says “KB4293807 has been superseded and replaced with KB4458621.”. Well, this is only correct is “superseded” is interpreted an a pure linguistic way and not in a technical way per the Microsoft update servicing jargon, as technically KB4293807 is expired and not superseded by KB4458621. But because KB4458621 is the replacing update content wise, you could linguistically say that it is “superseding” the older KB. Still following? 
Then, at the same page one could read “* These security updates are for SQL Server instances that have applied a Cumulative Update.”. Sigh… This is true, but ambiguous. It means “SQL Server instances that have applied a Cumulative Update need these security updates, but those updates can also serve SQL Server instances without a CU”. Do NOT chew it as “These security updates are only for SQL Server instances that have applied a Cumulative Update.”.
And it’s still not over: “This update is applicable to SQL Server 2016 SP2 CU instances installed on supported Windows Operating System.” is ambiguous too. “CU” here means “being an update from the CU servicing branch” and not “being a CU update itself”. Know that the RTM of SP2 can be considered as belonging to both the GDR and CU servicing branch, so although this text could easily give the impression that the security update in casu doesn’t apply for the SP2 RTM, that is not correct. You see, it depends on how exactly you read some lines and if you don’t see the ambiguity or if you read something a little bit wrong, you get the wrong conclusions!
And then… “This update refreshes Microsoft SQL Server 2016 SP2 CU that have had a Cumulative Update applied (versions 13.0.5149.0(CU1)-13.0.5161.0(CU2-GDR).
For Microsoft SQL Server 2016 SP2 instances that have not had any Cumulative Update applied (version 13.0.5026.0-13.0.5081.1), please see 2016 SP2 GDR. After you install this update, you may have to restart your computer.”. Oh, oh, oh… Strictly spoken Microsoft doesn’t say that the CU variant (KB4458621) can’t be used, but they certainly give that impression here!!! (As a side note, it is weird they speak of version range 13.0.5026.0-13.0.5081.1 here for the GDR variant, while portal.msrc.microsoft. com/en-us/security-guidance/advisory/CVE-2018-8273 speaks of 13.0.5026.0-13.0.5099.0…) But again, the text immedialtely under the FAQ table at portal.msrc.microsoft. com/en-us/security-guidance/advisory/CVE-2018-8273 and my test (13.0.5026.0 + KB4458621 = 13.0.5201.2 (> 13.0.5153.0 (CU2))) point to the opposite.
With other words: everything is correct and logical and it’s no big deal if CU2 doesn’t show up anymore as an update, while KB4458621 does. So you could for example even decline CU2 in WSUS, while approving KB4458621, even when you have Microsoft SQL Server 2016 SP2 pre-CU1 installations. But… I think Microsoft should definitely use unambiguous and complete descriptions, explanations AND names and even write a blog post about this topic. Also, this security update behavior isn’t the most common and expected one and should be at least reconsidered (but perhaps there is a valid reason for what they are doing - and don’t forget that the “CU” substring in the name of the security update already implies something that makes the security update different, so this already denotes the security update as a not-so-default-type-of-security-update). But again, even if there is a valid reason and they don’t change a thing, at least the naming, descriptions and explanations should be more clear and that’s an understatement…
I’m sorry if this answer is overloaded a little bit, but I think it’s needed to deal with every possible source of confusion, for once and for all If I need to exemplify on something, please let me know!
PS: because I’m a new user I can only enter 2 links at mx in a single post, so I had to disrupt some links a little bit, but I’m sure everyone here is able to fix those links
Ciao!
Padre Pedro
WinDoh: https://windoh.wordpress.com