Symptoms
Assume that you are using Dynamic Data Masking (DDM) on a column to protect your sensitive data in a table in Microsoft SQL Server 2016 and 2017. You may notice that the sensitive data is exposed when you execute a query that contains the following statements:
-
KEYSET READ_ONLY cursors.
-
PIVOT queries with masking that are defined on the aggregated pivot column.
-
User-defined functions (UDFs) that return a subquery.
Resolution
This issue is fixed in the following cumulative updates for SQL Server:
Cumulative Update 10 for SQL Server 2017
Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:
Workaround
As a workaround for this issue, you may avoid using problematic Transact-SQL (T-SQL) statements, and rewrite the code to use different T-SQL statements.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminologythat Microsoft uses to describe software updates.
