Assume that you use SQL Server Profiler to capture the SP:Starting and SP:Completed events in SQL Server.
When the sp_setapprole stored procedure is executed from a remote procedure call, the query statement is logged in the trace log in clear text. However, you expect it to be replaced with an obfuscated value that resembles the following:
-- 'sp_setapprole' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
This issue is fixed in the following cumulative updates and service pack for SQL Server:
Service pack information for SQL Server 2016
This issue is fixed in the following service pack for SQL Server:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.