Assume that you are using Dynamic Data Masking (DDM) on a column to protect your sensitive data in a table in Microsoft SQL Server 2016 and 2017. You may notice that the sensitive data is exposed when you execute a query that contains the following statements:
- KEYSET READ_ONLY cursors.
- PIVOT queries with masking that are defined on the aggregated pivot column.
- User-defined functions (UDFs) that return a subquery.
As a workaround for this issue, you may avoid using problematic Transact-SQL (T-SQL) statements, and rewrite the code to use different T-SQL statements.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.