KB4293801 (x64) Relevance Issue

There seems to be a relevance issue with the above mentioned KB … ITs for a remote code execution in SQL 2016 SP1
The issue I have so far traced is looking for a non existent Version key or number in the Setup Key
The Patch Level is there but no Version number

Version of Site 3066

Seeing below relevance in one of the superseded fixlet related to SQl 2016 SP1

(exists keys whose (exists value "CurrentVersion" whose ((it = "13.0" AND it < "13.0.4001.0") of (it as string as version)) of key "MSSQLServer\CurrentVersion" of it) of (keys "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server" of it) of (x64 registry) AND exists ((((if exists match (regex "\((.*)\)") of it then parenthesized part 1 of first match (regex "\((.*)\)") of it else it) of (if it contains "$" then following text of first "$" of it else it)) of display name of it) of services whose (exists file (first match (case insensitive regex "[^%22]*sqlservr.exe") of (image path of it)) whose ((it = "13" AND it < "13.0.4001.0") of product version of it)) , names of values of keys "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL" of (x64 registry)) whose (item 0 of it = item 1 of it))

Issue with patch relevance: CC: @bma @jeremylam

The Version key isn’t there for that particular Setup key on my system either, yet the relevance is returning True. It looks like there are other “Setup” keys under “HKLM\SOFTWARE\Microsoft\Microsoft SQL Server” that have both “Version” and “PatchLevel” keys.

The following relevance should show you these keys:

q: keys whose (exists value “Version” of key “Setup” of it AND exists value “PatchLevel” of key “Setup” of it) of (keys “HKLM\SOFTWARE\Microsoft\Microsoft SQL Server” of it) of (x64 registry)

Do you get any results when you run that query?

No… Nothing… But the Version and Patch levels are in the Following Key

I have actually applied the patch from Windows update … and now I see


In programs and features… Note how several items were updated that same time.

There’s an updated KB4293801 fixlet released in Patches for Windows version 3070 that addresses an issue where the fixlet was not becoming relevant for systems that did not install the database component, but did have the other SQL Server 2016 features.

I’m not entirely sure whether this is the case for your particular system but from the original screenshot, it looks like it could be.