3 Replies Latest reply on Dec 2, 2014 9:35 AM by Jim Campbell

    SQL Server security patches

    Jim Campbell

      For SQL Server security patches ( e.g. those in MS14-044 ) we are having problems using Bladelogic patching.  It appears to be appropriately identifying the patch as missing but it is a) only patching one instance at a time and b) passing the wrong instance name if only one instance on the server needs to be patched.  Example :


      When 2 instances are on the server it correctly identifies the patch being needed for both and passes the correct parameters.  However, patching requires a reboot in between if you try to patch one instance at a time so the second patch fails :

      11/18/14 07:52:51.324

      C:\temp\stage\f70bb12d1aee3d74a7fd876e99a3ad75\199018.1>"C:\temp\stage\f70bb12d1aee3d74a7fd876e99a3ad75\\199018.1\SQLServer2008R2-KB2977320-x64.exe" /Q /HIDECONSOLE /IACCEPTSQLSERVERLICENSETERMS /instancename=DEV   & set LASTERR=!errorlevel!


      This succeeds.  In the same job :

      11/18/14 07:57:29.150

      C:\temp\stage\f70bb12d1aee3d74a7fd876e99a3ad75\199018.1>"C:\temp\stage\f70bb12d1aee3d74a7fd876e99a3ad75\\199018.1\SQLServer2008R2-KB2977320-x64.exe" /Q /HIDECONSOLE /IACCEPTSQLSERVERLICENSETERMS /instancename=TEST   & set LASTERR=!errorlevel!    


      This fails because there would have to be a reboot in between.


      If you reboot and run patch analysis again it correctly shows the TEST instance as missing the patch.  However, it provides the wrong instance name this time to the command line parameter for the install

      11/20/14 11:34:07.686

      C:\temp\stage\12f41ffbafcd381890012cc166317c4e\199018.1>"C:\temp\stage\12f41ffbafcd381890012cc166317c4e\\199018.1\SQLServer2008R2-KB2977320-x64.exe" /Q /HIDECONSOLE /IACCEPTSQLSERVERLICENSETERMS /instancename=MSSQLSERVER   & set LASTERR=!errorlevel!


      This patch fails because the instance name is invalid.  In any situation in which only one instance needs to be patched ( including when only one instance is installed ) it is passing this invalid seemingly default instance name and the patch is failing ( and even better providing an exit code of 0 so that you can't even see that an error has occurred ) .


      Is anyone else seeing this?  Is there a way to force these patches to instead run with the /allinstances option instead of on a per-instance basis?  If not, why is it not providing the correct instance name to the command in the situation where only one instance needs the patch?  As a note this behaviour is consistent on all of our patching of SQL Servers at least for the affected versions for this bulletin ( MS14-044 ) that we use.  We are applying the patch to only one instance at a time and are not able to apply it to the last instance on the server to be patched.