MS21-JAN-Security update for SQL Server 2012 SP4 GDR - SQL Server 2021 SP4 - KB4583465
MS21-JAN-Security update for SQL Server 2012 SP4 GDR - SQL Server 2021 SP4 - KB4583465 (x64)
Needs a 5th relevance
not exists key whose ((it contains “microsoft sql server 2012 express localdb”) of (value “DisplayName” of it as string as lowercase)) of key “HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall” of it of (native registry)
The reason is that “Microsoft SQL Server 2012 Express LocalBD” this is a flat install of minimal components for a local SQL db think of it as lowjack sql or ms sql version of like Access DB that is used by .net applications and things like Veeam Backup and Recovery 11.
The more important bit is that “Microsoft SQL Server 2012 Express LocalBD” is not a full SQL install thus the KB45583465 package and other similar ones will never run and will fail as it cannot upgrade stuff that was never installed on the system in the first place due to this being a limited install type vs a full SQL instance which the KB is designed to patch.
If you run this fixlet manually on a box with the localdb you will see this error.
“There are no SQL Server instances or shared features that can be updated on this computer”
Hi @page.jp.1, I’ve experimented with this fixlet and agree that it does not successfully update “Microsoft SQL Server 2012 Express LocalDB” as it is currently configured to launch and execute the installation in the action script. However this package technically has the fix / updated MSI file for “Microsoft SQL Server 2012 Express LocalDB” which upgrades the version to 11.4.7507.2. I’ll raise this issue internally to see what we can do given that the fix is embedded in the installation file sqlserver2012-kb4583465-x64_c6e5ea14425fed26b885ab6b70aba8622817fd8c.exe. If you extract the contents of this package, you’ll find this file .\1033_enu_lp\x64\setup\x64\sqllocaldb.msi and this is the MSI package that successfully updates the installation to version 11.4.7507.2. Once this package is installed, it will drop the applicability of this fixlet.
Both good points, ideally i’d like the relevance fixed or a secondary action when this is encountered to do only that other bit you mentioned (extracting then updating the 1 component to escape the relevance) so we do not have to manually hit such systems especially since I have hundreds.
I think the bigger issue is that these systems really are non-compliant until the patch is installed, but a bug in the MS installer is preventing it from patching LocalDB instances correctly.
That may be something the Patch team can work around, @ADL ? But in the meantime, your LocalDB instances really are vulnerable to whatever issues are corrected by the patch.
Correct which is why I suggested a secondary path to install the single component that is actually missing, since the installer from MS is broken can the team unpack and pull the single component out and create either a separate patch to send to just the express localdb instances which after it runs will make them irrelevant for the parent patch.
or a first step on the parent patch to patch those express localdb instances first then the relevance would kick out those on the parent patch on the second pass for relevance checking.
since this is a product that is out of support (end of life was July 2022), I am not in favour of making any change to existing published fixlets.
However, I am checking with the Patch Team if they can help you providing a custom fixlet that would update the SQL Server 2012 R2 Express LocalDB running in your environment (this fixlet would basically only run the specific .msi file that is embedded in the binary provided by MS). This should resolve your compliance issue.
I will keep you updated once I get a confirmation from the team.
Thanks please let me know when this is released and I will test it on a few systems then work internally here to get it to the ones that are showing the false positive for the master patch KB4583465.
