Microsoft Download Center Archive

SQL Server 2000 Security Tools

  • Published:
  • Version: 1
  • Category: Security Patch
  • Language: English

SQL Server 2000 security tools are used to scan instances of Microsoft® SQL Server 2000™ and Microsoft SQL Server Desktop Engine (MSDE) 2000. The tools help detect instances vulnerable to the "Slammer" worm, and then apply updates to the affected files.

  • The three tools previously available for download on this page -- SQL Server 2000 SQL Scan, SQL Check, and SQL Critical Update -- have been consolidated into a single download, the SQL Critical Update Kit. The SQL Critical Update Kit also includes an SMS deployment tool and the Servpriv.exe utility.

    The SQL Server 2000 security tools help update editions of SQL Server 2000 and MSDE 2000 that are vulnerable to the "Slammer" worm. SQL Server 2000 Evaluation editions can be updated with the SQL Critical Update, but do not support SP3. MSDE 2000 ships with several Microsoft products, including Office XP. For a list of products that ship MSDE 2000, view the web page at Microsoft Products that include MSDE 2000

    Microsoft has developed a wizard for the home and small business user that will step you through the process of checking and updating your computer. Enterprise customers may also use and deploy the wizard to their internal customers. Visit the following web page to obtain the wizard: SQL Server 2000 Critical Update Wizard.

    The SQL Critical Update Wizard is also included in the SQL Critical Update Kit package.

    To send feedback on these tools, send email to SQL Critical Update Kit [email protected].

    NOTE: In some circumstances you may experience difficulties extracting the files from the SQL Critical Update Kit package if your computer has more than 4 GB free on your hard drive. See Microsoft Knowledge Based Article - 301913.

    The details of the tools included in the SQL Critical Update Kit are as follows:

    SQL Critical Update:
    SQL Critical Update scans the computer on which it is running for instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the Slammer worm, and updates the affected files. SQL Critical Update runs on Windows® 98, Windows ME, Windows NT® 4.0, Windows 2000 and Windows XP. SQL Critical Update is supported in a clustered environment.

    Instances of SQL Server 2000 with Service Pack 2 (SP2) and security patch MS02-039, MS02-043, MS02-056, or MS02-061, or instances with SP3 or later, are not vulnerable to the slammer worm. Computers running SQL Server 7.0 and earlier are not vulnerable to the slammer worm.

    Restrictions:
    * SQL Critical Update must be run on the local machine.
    * SQL Critical Update will fix vulnerabilities that it discovers; it cannot be used to simply disable an instance of SQL Server.
    * SQL Critical Update does not install SP3. It only updates vulnerable files.
    * SQL Critical update will fix only MSDE installations that are the same language as the SQL Critical Update language you are running.
    * The user running SQL Critical Update must have permission to replace SQL Server files in the Program Directory.
    * SQL Critical Update works only if the ssnetlib.dll file exists for each instance of SQL Server being patched.
    * SQL Critical Update must target the active node in order to work in a clustered environment.

    For additional details refer to the readme file.

    SQL Scan:
    SQL Scan (Sqlscan.exe) scans an individual computer, a Windows domain, or a range of IP addresses for instances of SQL Server 2000 and MSDE 2000, and identifies instances that may be vulnerable to the Slammer worm. SQL Scan runs on Windows 2000 or higher and can identify instances of SQL Server 2000 and MSDE 2000 running on Windows NT 4.0, Windows 2000, or Windows XP (Professional).

    Instances of SQL Server 2000 with Service Pack 2 (SP2) and security patch MS02-039, MS02-043, MS02-056, or MS02-061, or instances with SP3 or later, are not vulnerable. Computers running SQL Server 7.0 and earlier are not vulnerable.

    SQL Scan does not locate instances of SQL Server that are running on Windows 98, Windows ME, or Windows XP (Home). SQL Scan does not detect instances of SQL Server that were started from the command prompt.

    NOTE: In some circumstances, shutdown of an infected SQL Server instance may not complete successfully. You may need to use system management tools to terminate an infected process.

    SQL Scan requires one of the following items as input:

    1) A domain

    2) A range of IP addresses

    3) A single machine name

    SQL Scan must be run with domain administrator privileges when it is used to scan remote machines. Otherwise, you must be an administrator on the local machine.

    SQL Scan will not return a conclusive result if either the ssnetlib.dll or sqlservr.exe file has been renamed. If these files have been renamed, you should change the names back to their original name.

    SQL Scan identifies vulnerable SQL Server instances on clustered machines, but does not
    disable them. Disabling and shutting down of SQL Server instances must be managed manually.

    For additional details refer to the readme file.

    SQL Check:
    SQL Check scans the computer on which it is running for instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the Slammer worm. SQL Check also identifies vulnerable SQL Server 2000 clusters, but does not disable them. SQL Check runs on Windows 98, Windows ME, Windows NT 4.0, Windows 2000 and Windows XP. On computers running Windows NT 4.0, Windows 2000 and Windows XP, it stops and disables the SQL Server and SQL Agent services. On computers running Windows 98 and Windows ME it identifies vulnerable instances but does not stop or disable any services.
    Instances of SQL Server 2000 with Service Pack 2 (SP2) and security patch MS02-039, MS02-043, MS02-056, or MS02-061, or instances with SP3 or later, are not vulnerable. Computers running SQL Server 7.0 and earlier are not vulnerable.

    For additional details refer to the readme file.

    SMS Deployment Tool:
    This tool provides a SQLFIX.SMS file that you can use to create a package in SMS to deploy SQL Server Critical Update.

    Servpriv.exe:
    If you are running SQL Server 2000 Service Pack 2 (SP2) or MSDE 2000 SP2 and have already applied SQL Critical Update, you must also run the servpriv.exe utility that is included in this package to set the appropriate user rights on the corresponding service registry keys. This utility was first released in the Microsoft Security Bulletin MS02-043. Servpriv.exe automatically runs with SQL Critical Update 3.0 and the new SQL Critical Update Wizard available in the latest SQL Critical Update Kit. If you are applying SQL Critical Update for the first time, you do not need to run servpriv.exe separately. See the readme_ServPriv.txt file for additional details.

    SQL Server Critical Update Wizard:
    The SQL Critical Update Wizard will walk you through the steps of detecting the vulnerability and updating the affected files. The SQL Critical Update Wizard runs on Windows 98, Windows ME, Windows NT 4.0, Windows 2000 and Windows XP. If you want to install SQL Critical Update on a cluster, use the SQL Critical Update tool instead of the wizard. For more information about updating clusters with the SQL Critical Update tool, please refer to the README for SQL Critical Update. Please see Knowledge Base Article: 814372 for further information about this wizard.

    DISCLAIMER OF WARRANTIES
    SQL Scan and SQL Check are considered pre-release software and are not at the level of performance and compatibility of final, generally available product offerings. MICROSOFT IS PROVIDING THE SQL CRITICAL UPDATE KIT AS IS AND WITH ALL FAULT, AND HEREBY DISCLAIMS ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY (IF ANY) IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF RELIABILITY OR AVAILABILITY, OF ACCURACY OR COMPLETENESS OF RESPONSES, OF RESULTS, OF WORKMANLIKE EFFORT, OF LACK OF VIRUSES, OF LACK OF NEGLIGENCE. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THE SQL CRITICAL UPDATE KIT.
Knowledge Base Articles:
Security Bulletins:

Files

Status: Deleted

This download is no longer available on microsoft.com. The downloads below are archives provided by the Internet Archive Wayback Machine from the Microsoft Download Center prior to August 2020.

FileSize
license.rtf
SHA1: 14731c02d79f32384f60f74f82daf68f8f1c4145
6 KB
readme.txt
SHA1: 62380dda714e75892efcb072d6478c6b85ebd8be
4 KB
Security_Tools_Guide.doc
SHA1: 0776fa39e94252dce595393505e207f2f84d8ee6
19 KB
SQLCritUpdPkg_ENU.exe
SHA1: 88a9926bf9926cfe1b727889812f8c35fd7c5869
21.58 MB

System Requirements

Operating Systems: Windows 2000, Windows 98, Windows ME, Windows NT, Windows XP

Installation Instructions

  • To download the SQL Critical Update Kit:
    1.Click on the SQLCritUpdPkg_ENU.exe link to start the download.
    2.When the download begins, you can choose whether to run the SQLCritUpdPkg_ENU.exe file remotely from the server or save it to the local machine. The SQLCritUpdPkg_ENU.exe self-extracting file will run remotely and extract the necessary files to the local machine. However, if you want to run the SQL Critical Update Kit on other machines, you should download the self-extracting file and save it locally.
    NOTE If you plan to deploy SQL Critical Update Kit across your enterprise, you should download the self-extracting file and place it on a public share so that it can be easily run throughout your organization.
    3.If you decided to run the self-extracting file from the server, skip to step 4. If you saved this file locally, navigate to the directory where you saved this file, and run it to extract the files.
    4.When run, the self-extracting file requires you to accept the EULA and then asks you to select a destination to save the extracted files. The default location is C:\SQLCritUpdPkg, but you can specify your own location as long as it is on the local machine. Extracting remotely to a UNC share is not supported.
    5.For additional details on the tools, refer to the readme files included in the installed package.

Related Resources