Microsoft has released a critical security update for SQL Server 2022 that cumulatively bundles all previous fixes while addressing a newly disclosed denial-of-service vulnerability. The update, designated KB5072936, targets CVE-2026-20803 and represents the latest in Microsoft's ongoing patch management strategy for their flagship database platform.
What Changed
Microsoft released Security Update KB5072936 for SQL Server 2022 RTM Cumulative Update 22 on January 13, 2026. This update is available through two primary distribution channels: the Microsoft Download Center and the Microsoft Update Catalog. The package follows Microsoft's cumulative update model, meaning it contains all security fixes released for SQL Server 2022 RTM up to this point, plus the new patches detailed in the associated KB article.
The headline vulnerability addressed is CVE-2026-20803, a denial-of-service vulnerability in SQL Server 2022. Denial-of-service vulnerabilities are particularly concerning for database administrators because they can allow attackers to disrupt database availability without necessarily compromising data integrity or confidentiality. While Microsoft hasn't published the specific technical details of the exploit vector in this release announcement, such vulnerabilities typically involve resource exhaustion, memory corruption, or improper input handling that causes the SQL Server service to crash or become unresponsive.
Provider Comparison: Microsoft's Update Strategy vs. Alternative Database Vendors
Microsoft's approach to security updates for SQL Server reflects a broader pattern in enterprise software maintenance that differs meaningfully from other major database vendors.
Oracle Database operates on a quarterly Critical Patch Update (CPU) schedule, releasing batches of security fixes on predictable dates in January, April, July, and October. This cadence provides organizations with advance planning opportunities but means vulnerabilities may remain unpatched for up to three months between cycles. Oracle also offers "Alert" patches for critical issues outside the normal cycle, but these are rare. The trade-off is predictability versus responsiveness.
PostgreSQL, as an open-source project, follows a more fluid model. Security fixes are released as soon as they're ready, typically in minor version updates (e.g., 16.1, 16.2). The community provides security patches for supported versions, but organizations running PostgreSQL must actively monitor release notes and apply updates themselves. There's no centralized update catalog or automatic distribution mechanism comparable to Microsoft Update.
MySQL under Oracle follows a hybrid approach. Critical security fixes are released in patch releases, and Oracle provides both community and enterprise update paths. However, the enterprise features require a support subscription, and the update distribution is less integrated than Microsoft's ecosystem.
Microsoft's SQL Server update model offers several distinct advantages for organizations already invested in the Windows/Microsoft ecosystem:
Cumulative updates reduce patch management complexity. Instead of tracking and applying dozens of individual hotfixes, administrators can apply a single package that contains everything. This is particularly valuable in large environments where testing each patch individually would be prohibitively expensive.
Integration with Microsoft Update enables automated deployment through familiar tools like WSUS (Windows Server Update Services) or Configuration Manager. Organizations can defer updates, test them in staging environments, and deploy on schedules that align with maintenance windows.
Single point of truth for download and documentation. The Microsoft Download Center and Update Catalog provide a centralized, searchable repository, contrasting with PostgreSQL's distributed source code repositories or Oracle's support portal that requires authentication.
However, this model has trade-offs. Cumulative updates can be large downloads (often several hundred megabytes), and applying them requires service restarts. For 24/7 operations, this necessitates planned downtime windows. Additionally, organizations running multiple SQL Server versions must manage separate cumulative update streams.
Business Impact and Migration Considerations
Immediate Operational Impact
For organizations running SQL Server 2022 in production, this update requires immediate attention in your patch management cycle. The presence of a denial-of-service vulnerability means that exposed instances could be targeted by attackers seeking to disrupt business operations. Unlike vulnerabilities that require authenticated access, DoS attacks can often be performed by unauthenticated actors who can reach the SQL Server port.
The cumulative nature of this update simplifies testing. Since it includes all previous fixes, you can deploy it to test environments that mirror your production configuration without needing to apply incremental patches first. This reduces the time from download to production deployment.
Migration and Upgrade Path Considerations
Organizations currently running older SQL Server versions should view this update as part of a broader migration strategy. SQL Server 2012 and 2014 have reached end-of-support, and SQL Server 2016/2017 are in extended support phases. Migrating to SQL Server 2022 provides:
- Long-term support: SQL Server 2022 will receive mainstream support until 2028 and extended support until 2033
- Performance improvements: Features like intelligent query processing have matured significantly in recent versions
- Cloud integration: SQL Server 2022 includes enhanced Azure Arc integration for hybrid scenarios
The migration path typically involves:
- Assessment: Use the Data Migration Assistant to evaluate compatibility issues
- Testing: Deploy SQL Server 2022 in a non-production environment and test your applications
- Migration: Use backup/restore, log shipping, or Always On availability groups for minimal downtime
- Update: Apply the latest cumulative update (like KB5072936) immediately after migration
Cloud-Native Considerations
Microsoft's cloud strategy with SQL Server 2022 emphasizes Azure Arc-enabled data scenarios. Organizations can manage on-premises SQL Server instances through the Azure portal, including update management. This provides a unified view across hybrid environments.
For organizations considering cloud migration, SQL Server 2022 on Azure Virtual Machines offers:
- Automated patching: Azure can manage Windows and SQL updates automatically
- Backup integration: Azure Backup provides geo-redundant storage without additional configuration
- High availability: Built-in Always On availability groups across Azure regions
However, the trade-off is cost and control. Running SQL Server on Azure VMs means paying for compute and storage continuously, and you're abstracted from the underlying infrastructure. For organizations with strict compliance requirements or existing data center investments, staying on-premises with proper patch management may be preferable.
Pricing Implications
SQL Server 2022 licensing follows the same model as recent versions:
- Standard Edition: Per-core licensing (2 core minimum) or Server+CAL (Client Access License)
- Enterprise Edition: Per-core licensing only
- Developer Edition: Free for development/testing
The key consideration for update management is that all editions receive the same security updates. However, Enterprise Edition includes features like online index rebuilds and resumable operations, which can reduce the operational impact of applying updates during business hours.
For organizations with Software Assurance, there's an additional benefit: the ability to run SQL Server in Azure at reduced rates through the Azure Hybrid Benefit. This can make cloud migration more cost-effective while maintaining the same security update cadence.
Testing and Rollback Strategy
Before deploying KB5072936 to production:
Review the KB article: The KB5072936 documentation contains specific installation instructions and known issues
Test in isolation: Deploy to a test instance that matches your production configuration
Validate applications: Run your full application test suite, focusing on:
- Query performance (some security fixes can impact query plans)
- Connectivity from all application servers
- Scheduled jobs and SSIS packages
- Replication and Always On configurations
Prepare rollback: While cumulative updates are generally safe, have a rollback plan:
- Take full backups before patching
- Document current configuration settings
- For critical systems, consider using Always On to patch replicas first, then failover
Monitor after deployment: Watch for increased error rates, performance degradation, or connectivity issues in the first 24-48 hours
Long-Term Maintenance Strategy
This update reinforces the importance of establishing a sustainable patch management process:
- Monthly review: Subscribe to the SQL Server Blog and review security bulletins
- Quarterly deployment: Plan to apply cumulative updates every quarter during maintenance windows
- Automation: Use PowerShell scripts or Configuration Manager to automate deployment across multiple instances
- Documentation: Maintain an inventory of SQL Server versions and cumulative update levels
The SQL Server team at Microsoft has made these updates increasingly reliable, but the responsibility for deployment remains with the organization. The tools and processes you establish now will serve you for all future updates.
For organizations running SQL Server 2022, KB5072936 should be treated as a priority deployment. The combination of cumulative fixes and a specific DoS vulnerability patch makes this both efficient and necessary. Your approach should balance the urgency of security with the stability requirements of your production environment, using the testing and deployment strategies that fit your operational model.
Comments
Please log in or register to join the discussion