Hi everyone. We have posted the questions and answers from the security bulletin webcast we conducted on October 14 at this link. It was clear from all of the questions concerning MS09-062 (the GDI+ update) that there is some confusion on how to apply the update when you have a combination of SQL Server and Windows 2000 clients.

To clarify what the bulletin states, if you do not have any Windows 2000 SP4 clients on your network then you do not need to apply the SQL Server update that corresponds to the version of SQL Server you are running. In this case, you would only need to apply the update for the client operating systems on your network. This is because on platforms newer than Windows 2000 SP4, the operating system will use its own version of the affected component (gdiplus.dll) rather than the one distributed by the RSClientPrint ActiveX control through SQL Server Reporting Services.

In the video below, Adrian Stone and I go in to details on each bulletin to cover the vulnerabilities, affected platforms, attack vectors, and mitigations:

Get Microsoft Silverlight More listening and viewing options:

Next month we will host our live security bulletin webcast on November 11 at 11:00 am Pacific time (UTC -7). To register for that webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*