We aren't a Microsoft SQL Server shop, but we run Microsoft SQL Server Desktop Edition (MSDE) 2000 on some of our production servers. I've heard that we might be vulnerable to SQL Slammer. Are we? And if so, how can we protect ourselves?

A common misconception is that only SQL Server 2000 machines are vulnerable to SQL Slammer. But MSDE 2000 is based on the same code as SQL Server 2000, so MSDE 2000 also is vulnerable.

The SQL Slammer worm was so effective in part because many systems administrators failed to patch their systems long after the original discovery of the vulnerability that the virus exploits. To be fair, applying the applicable updates wasn't a particularly easy task. Microsoft listened to customer complaints about that fact and has since developed several tools to help systems and database administrators update their SQL Server 2000 installations. For additional information about these tools, see the tools' accompanying documentation or read the Microsoft article "Overview of the SQL 2000 Critical Update Wizard" (http://support.microsoft.com/?kbid=814372). You can download these tools from Microsoft's Web site at http://www.microsoft.com/sql/downloads/securitytools.asp, then use them to protect yourself.

  • Servpriv.exe updates registry permissions for installations on which you ran an earlier (i.e., pre-3.0) version of the SQL Critical Update Wizard.
  • SQL Check can identify vulnerable SQL Server 2000 clusters. This tool runs on Windows XP, Windows 2000, Windows NT 4.0, Windows Me, and Windows 98.
  • SQL Critical Update 3.0 checks the local SQL server or SQL cluster for vulnerable installations of SQL Server 2000 and MSDE 2000, then updates files to resolve vulnerabilities.
  • SQL Critical Update Wizard can update XP, Win2K, NT 4.0, Windows Me, and Win98 SQL Server or MSDE 2000 systems, but you can't use it on clusters (use SQL Critical Update instead).
  • SQL Scan (sqlscan.exe) can scan one XP, Win2K, or NT 4.0 PC or a group of machines (according to domain or IP address range) to identify Slammer vulnerabilities.
  • Systems Management Server (SMS) Deployment Tool contains an SMS package file that facilitates SMS-based deployment of SQL Critical Update.