******************************************************************* SQL Critical Update Kit 3.0 for Microsoft® SQL Server 2000™ and Microsoft SQL Server 2000 Desktop Engine 2000 (MSDE 2000) Readme File February 09, 2003 ******************************************************************* © Microsoft Corporation 2003. All rights reserved. ******************************************************************* Contents 1.0 Liability Disclaimer 2.0 Introduction 3.0 Applicable SQL Server 2000 Versions 4.0 Downloading and Extracting the SQL Critical Update Kit 5.0 Contents of the Package 6.0 Running SQL Critical Update ******************************************************************* 1.0 Liability Disclaimer ******************************************************************* Microsoft is providing the SQL Critical Update Kit to assist in detecting computers that are vulnerable to the Slammer worm and repairing them. This tool is provided AS-IS, with no warranties of any kind, either express or implied. You should evaluate and test the tool before using it in your environment. As a prerequisite to using this tool, you are required to accept the End User License Agreement (EULA). The EULA, named License.txt, is in the root directory where you downloaded the SQL Critical Update Package. ******************************************************************* 2.0 Introduction ******************************************************************* The SQL Critical Update Kit contains a set of tools designed to help administrators to easily locate and patch instances of SQL Server 2000 and SQL Server 2000 Desktop Engine (MSDE 2000) that are vulnerable to the Slammer worm. These tools are designed to help patch instances of the following versions of SQL Server against the Slammer worm: SQL Server 2000 (initial release) SQL Server 2000 SP1 SQL Server 2000 SP2 MSDE 2000 (initial release) MSDE 2000 SP1 MSDE 2000 SP2 However, for the latest serviceability and security improvements, we recommend testing and then applying SP3. If you cannot apply SP3, we recommend applying SP2 and then using the tools provided in this kit. SQL Critical Update Kit consists of the following tools: * SQL Critical Update Wizard – a wizard that detects and patches SQL Server 2000 and MSDE 2000 instances vulnerable to the Slammer worm. You can use this tool alone, or you can use the following tools and create a customized solution for your enterprise. * SQL Scan (Sqlscan.exe) - locates instances of SQL Server 2000 and MSDE 2000 instances vulnerable to the Slammer worm across a local network on Windows NT 4.0, Windows 2000, Windows XP Professional Edition, or later. * SQL Check - finds and optionally disables and re-enables instances of SQL Server 2000 or MSDE 2000 that are vulnerable to the Slammer worm. * SQL Critical Update – patches SQL Server 2000 and MSDE 2000 instances that are vulnerable to the Slammer worm. * SMS Deploy – System Management Server files for deploying the hotfix across a managed system. (See readme_SMSDeploy.txt) * Servpriv - patches SQL Server 2000 installations that are running SQL Server 2000 Service Pack 2. SQL Critical Update 3.0 runs this tool, so you typically don't need to run this separately. See readme_servpriv.txt for more information. This readme file provides a high-level view of how to use the SQL Critical Update Kit to help find and eliminate SQL Server 2000 and MSDE 2000 instances that are vulnerable to the Slammer worm. For more detailed information on how to use each of these tools as well as requirements and restrictions, review the readme file for each tool. ******************************************************************* 3.0 Applicable SQL Server 2000 Versions ******************************************************************* The SQL Critical Update Kit is designed to work with all editions of SQL Server 2000 and MSDE 2000. For a list of Microsoft SQL Server 2000 and MSDE 2000 versions that are vulnerable to the Slammer worm, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/virus/alerts/slammer.asp. To determine which version of SQL Server 2000 or MSDE 2000 is installed on your machine, use SQL Check (SSCheck.exe). ******************************************************************* 4.0 Downloading and Extracting the SQL Critical Update Kit ******************************************************************* The SQL Critical Update Kit is a language-specific, self-extracting file. The name of this package file is SQLCritUpdPkg_XXX.exe, where XXX denotes the language-specific version of the SQL Critical Update Kit. The language of the package you download must match the language of your SQL Server 2000 or MSDE 2000 instances to be patched. This tool is available in the following languages: * CHS - Simplified Chinese (language = 2052) * CHT - Traditional Chinese (language = 1028) * ENU - English (language = 1033) * ESN - Spanish (language = 3082 or 1034) * FRN - French (language = 1036) * GER – German (language = 1031) * ITA – Italian (language = 1040) * JPN – Japanese (language = 1041) * KOR – Korean (language = 1042) * BRZ - Portuguese (Brazil) (language = 1046) * DUT - Dutch (Netherlands) (language = 1043) * SVE – Swedish (language = 1053) To download the SQL Critical Update package: 1. Go to http://www.microsoft.com/sql/downloads/securitytools.asp. 2. Select the desired language version to download from the drop- down list and click GO. This will take you to the language-specific download page for SQL Critical Update Kit. 3. On the language-specific download page, click on the SQLCritUpdPkg_XXX.exe link to start the download. 4. When the download begins, you are given a choice of whether to run (Open) the SQLCritUpdPkg_XXX.exe package file from the Microsoft Web server or save it to the local machine. If you open the file, the SQLCritUpdPkg_XXX.exe self-extracting file will run remotely and extract the necessary files to the local machine. Note: If you plan to deploy SQL Critical Update Kit across your enterprise, you should download the self-extracting file and place it on a public share so that it can be easily run throughout your organization. 5. If you decided to open the self-extracting file from the Microsoft Web server, skip to step 6. If you saved this file locally, navigate to the directory where you saved this file and double-click the SQLCritUpdPkg_XXX.exe package to extract the files. 6. When you run the self-extracting file, it requires you to accept the EULA and then asks you to select a destination to save the extracted files. The default location is C:\SQLCritUpdPkg, but you can specify your own location as long as it is on the local machine. Extracting remotely to a UNC share is not supported. At this point, you are ready to use the SQL Critical Update Kit. ******************************************************************* 5.0 Contents of the Package ******************************************************************* The SQL Critical Update Kit contains the following files, which are extracted in the specified folder on the local machine: * License.txt - contains the EULA for the SQL Critical Update Kit. * Readme.txt – this file. * SQLCritUpdWiz_ENU.msi is a wizard that runs SQL Check and SQL Critical Update. * The SQLCritUpd folder contains SQLHotfix_XXX.exe, which is a self-extracting file that runs SQL Critical Update. This folder also contains readme_SQLHotfix.txt. * The SMSDeploy folder contains tools for SMS deployment as well as readme_SMSDeploy.txt. * The SQLCheck folder contains SQL Check (Sscheck.exe), which is a utility you can use to help locate and disable instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the Slammer worm. * The SQLScan folder contains SQLScan.exe, which is a utility that detects computers on the network that are vulnerable to the Slammer worm, as well as readme_SQLScan.txt. * The ServPriv folder contains ServPriv.exe, which is a utility that patches SQL Server 2000 installations that are running SQL Server 2000 Service Pack 2, as well as readme_ServPriv.txt. SQL Critical Update 3.0 runs Servpriv. ******************************************************************* 6.0 Running the SQL Critical Update Wizard ******************************************************************* Although both SQL Check and SQL Critical Update can be run individually, it is recommended that you use these tools together by running the SQL Critical Update Wizard (SQLCritUpdWiz_XXX.msi). Before you run the Critical Update Wizard on a computer running Windows XP, Windows 2000, or Windows NT, you will need to ensure that you are logged on to the computer using an account with local Administrative privileges. IMPORTANT: If you are running the SQL Critical Update Wizard on Windows NT, Windows 98, or Windows ME, you might need to download the Windows Installer from http://www.microsoft.com/downloads. The Windows Installer was not included with these operating systems and is required by the wizard. To run the SQL Critical Update Wizard, follow these steps: 1. Double-click SQLCritUpdWiz_XXX.msi. 2. When you are prompted to install the update, click Next. 3. Read and accept the License Agreement, and then click Next. If you do not have MSDE 2000 or SQL Server 2000 installed on your computer, or if you do have one of these products but have already updated to a version that is not affected by the Slammer worm, you receive the following message: Critical Update Not Required. 4. If you are prompted to install the update, click Install. 5. When you receive a message that indicates the installation was successful, click Finish. If the update is unsuccessful or further action is required, see http://support.microsoft.com/?kbid=814372. IMPORTANT: After you update MSDE 2000 or SQL Server 2000, you cannot remove the update unless you previously backed-up your system databases. (For more information, see http://support.microsoft.com/?id=330391.) If you are unable to rollback the patch because you don't have a backup of your system databases, to return to a prior version you must remove MSDE 2000 or SQL Server 2000, and then install the original product from the original CD.