Relevance Issue (MS21-JAN-Security update for SQL Server 2012 SP4 GDR - SQL Server 2021 SP4 - KB4583465 )

page.jp.1 2022-11-17 21:46:55 UTC #1

MS21-JAN-Security update for SQL Server 2012 SP4 GDR - SQL Server 2021 SP4 - KB4583465
MS21-JAN-Security update for SQL Server 2012 SP4 GDR - SQL Server 2021 SP4 - KB4583465 (x64)

Needs a 5th relevance

not exists key whose ((it contains “microsoft sql server 2012 express localdb”) of (value “DisplayName” of it as string as lowercase)) of key “HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall” of it of (native registry)

The reason is that “Microsoft SQL Server 2012 Express LocalBD” this is a flat install of minimal components for a local SQL db think of it as lowjack sql or ms sql version of like Access DB that is used by .net applications and things like Veeam Backup and Recovery 11.

The more important bit is that “Microsoft SQL Server 2012 Express LocalBD” is not a full SQL install thus the KB45583465 package and other similar ones will never run and will fail as it cannot upgrade stuff that was never installed on the system in the first place due to this being a limited install type vs a full SQL instance which the KB is designed to patch.

If you run this fixlet manually on a box with the localdb you will see this error.
“There are no SQL Server instances or shared features that can be updated on this computer”

Please fix this ASAP.

gus 2022-11-18 20:18:40 UTC #2

Hi @page.jp.1, I’ve experimented with this fixlet and agree that it does not successfully update “Microsoft SQL Server 2012 Express LocalDB” as it is currently configured to launch and execute the installation in the action script. However this package technically has the fix / updated MSI file for “Microsoft SQL Server 2012 Express LocalDB” which upgrades the version to 11.4.7507.2. I’ll raise this issue internally to see what we can do given that the fix is embedded in the installation file sqlserver2012-kb4583465-x64_c6e5ea14425fed26b885ab6b70aba8622817fd8c.exe. If you extract the contents of this package, you’ll find this file .\1033_enu_lp\x64\setup\x64\sqllocaldb.msi and this is the MSI package that successfully updates the installation to version 11.4.7507.2. Once this package is installed, it will drop the applicability of this fixlet.

Before:

After:

JasonWalker 2022-11-18 21:40:18 UTC #3

I’m not sure how far back the issue goes (given I don’t think Microsoft supports 2012r2 anymore), but it did seem to be a known issue in some versions of SQL 2017 that the installer did not handle LocalDB properly
https://support.microsoft.com/en-au/topic/kb4526524-fix-sql-update-package-does-not-update-local-db-files-correctly-when-installed-using-sqllocaldb-msi-d091e021-37fb-2449-bd40-d95c6c9db4b4

page.jp.1 2022-11-18 21:50:45 UTC #4

Both good points, ideally i’d like the relevance fixed or a secondary action when this is encountered to do only that other bit you mentioned (extracting then updating the 1 component to escape the relevance) so we do not have to manually hit such systems especially since I have hundreds.

page.jp.1 2022-11-22 17:08:27 UTC #5

Any more updated packages to fix this yet this is affecting compliance % due to the blown relevance.

JasonWalker 2022-11-22 18:39:41 UTC #6

I think the bigger issue is that these systems really are non-compliant until the patch is installed, but a bug in the MS installer is preventing it from patching LocalDB instances correctly.

That may be something the Patch team can work around, @ADL ? But in the meantime, your LocalDB instances really are vulnerable to whatever issues are corrected by the patch.

page.jp.1 2022-11-22 19:09:55 UTC #7

Correct which is why I suggested a secondary path to install the single component that is actually missing, since the installer from MS is broken can the team unpack and pull the single component out and create either a separate patch to send to just the express localdb instances which after it runs will make them irrelevant for the parent patch.

or a first step on the parent patch to patch those express localdb instances first then the relevance would kick out those on the parent patch on the second pass for relevance checking.

ADL 2022-11-23 16:10:16 UTC #8

Hi @page.jp.1

since this is a product that is out of support (end of life was July 2022), I am not in favour of making any change to existing published fixlets.

However, I am checking with the Patch Team if they can help you providing a custom fixlet that would update the SQL Server 2012 R2 Express LocalDB running in your environment (this fixlet would basically only run the specific .msi file that is embedded in the binary provided by MS). This should resolve your compliance issue.

I will keep you updated once I get a confirmation from the team.

Thanks
Alessandro De Lorenzi

page.jp.1 2022-11-28 15:06:09 UTC #9

Thanks please let me know when this is released and I will test it on a few systems then work internally here to get it to the ones that are showing the false positive for the master patch KB4583465.