Applies To
SQL Server 2025 on Windows (all editions), SQL Server 2025 on Linux (all editions)
Summary
This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:
-
CVE-2026-21262 - SQL Server Elevation of Privilege Vulnerability
-
CVE-2026-26115 - SQL Server Elevation of Privilege Vulnerability
-
CVE-2026-26116 - SQL Server Elevation of Privilege Vulnerability​​​​​​​​​​​​​​
The Microsoft SQL Server components are updated to the following builds in this security update:
-
SQL Server - product version: 17.0.1105.2, file version: 2025.170.1105.2
Improvements and fixes included in this update
A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists. Download this Excel file now.
Note:Â Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.
|
Bug reference |
Description |
Fix area |
Component |
Platform |
|---|---|---|---|---|
|
Fixes a potential SQL injection vulnerability by removing an internal system stored procedure. |
SQL Server Engine |
Internal System Metadata |
Windows |
|
|
Fixes an elevation of privilege vulnerability in the version upgrade process for merge replication. |
SQL Server Engine |
Replication |
Windows |
|
|
This hotfix blocks the ALTER USER operation if the target login is the system Administrator account. |
SQL Server Engine |
Security Infrastructure |
Linux, Windows |
How to obtain and install the update
This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.
To get the standalone package for this update, go to the Microsoft Update Catalog website.
Note:Â The detection logic has been updated for this and future security releases that are posted to the Microsoft Update Catalog website. For more information, see Updates to the Microsoft Update detection logic for SQL Server servicing.
The following file is available for download from the Microsoft Download Center:
For more information about how to download Microsoft support files, see the following Knowledge Base article:
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses by using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it.
Important:Â If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
Note:Â This update is made available through the Microsoft Update Catalog for all servers that are running SQL Server, even if Reporting Services is not installed. Installing this security update is optional for computers that do not host Microsoft SQL Server Reporting Services.
More information
To apply this update, you must have SQL Server 2025 or any SQL Server 2025 GDR release through this SQL Server 2025 GDR installed.
For deployment information about this update, see Deployments - Security Update Guide.
|
File name |
SHA256 hash |
|---|---|
|
SQLServer2025-KB5077468-x64.exe |
877702FB5E85C096F8FE4052FFA2D354B459B0C2E0A349708240E2D25603877E |
File information
The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x64-based versions - Download the list of files that are included in security update ​​​​​​​5077468.
Information about protection and security
Protect yourself online: Windows Security support
Learn how we guard against cyber threats: Microsoft Security
