How to know whether you need this update

Use the following table to determine whether your current version of SQL Server already has support for TLS 1.2 or whether you have to download an update to enable TLS 1.2 support. Use the download links in the table to obtain the server updates that are applicable to your environment.

Note Builds that are later than those listed in this table also support TLS 1.2.

SQL Server release

Initial build/release that supported TLS 1.2

Current Updates with TLS 1.2 Support

Additional information

SQL Server 2014 SP1 CU

12.0.4439.1

SP1 CU5

KB3130926 - Cumulative Update 5 for SQL Server 2014 SP1

Note: KB3130926 will now install the last CU produced for 2014 SP1 (CU13 - KB4019099 ), which includes TLS 1.2 support as well as all hotfixes released to date. If needed, CU5 is available in the Windows Update Catalog.

Note: TLS 1.2 support is also available in 2014 SP2 and 2014 SP3.

KB3052404 -  FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012

SQL Server 2014 SP1 GDR

12.0.4219.0

SP1 GDR TLS 1.2 Update

TLS 1.2 Support for 2014 SP1 GDR is available in the latest cumulative GDR update – KB4019091.

Note: TLS 1.2 support is also available in 2014 SP2 and 2014 SP3.

SQL Server 2014 RTM CU

12.0.2564.0

RTM CU12

KB3130923 - Cumulative Update 12 for SQL Server 2014

Note: KB3130923 will now install the last CU released for 2014 RTM (CU14 - KB3158271 ), which includes TLS 1.2 support as well as all hotfixes released to date. If needed, CU12 is available in Windows Update Catalog.

Note: TLS 1.2 support is also available in 2014 SP2 and 2014 SP3.

KB3052404 - FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012

SQL Server 2014 RTM GDR

12.0.2271.0

RTM GDR TLS 1.2 Update

TLS Support for SQL 2014 RTM is currently only available by installing 2014 SP2 and 2014 SP3 .

SQL Server 2012 SP3 GDR

11.0.6216.27

SP3 GDR TLS 1.2 Update

TLS 1.2 Support for 2012 SP3 GDR is available in the latest cumulative GDR update – KB4057115.

Note: TLS 1.2 support is also available in 2012 SP4.

SQL Server 2012 SP3 CU

11.0.6518.0

SP1 CU3

KB3123299 - Cumulative Update 1 for SQL Server 2012 SP3

Note: KB3123299 will now install the last CU released for 2012 SP3 (CU10 - KB4025925, which includes TLS 1.2 support as well as all hotfixes released to date). If needed, CU1 is available in Windows Update Catalog.

Note: TLS 1.2 support is also available in 2012 SP4.

KB3052404  - FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012

SQL Server 2012 SP2 GDR

11.0.5352.0

SP2 GDR TLS 1.2 Update

TLS 1.2 Support for 2012 SP2 GDR is available in the latest cumulative GDR update – KB3194719.

TLS 1.2 support is also available in 2012 SP3 and 2012 SP4.

SQL Server 2012 SP2 CU

11.0.5644.2

SP2 CU10

KB3120313 - Cumulative Update 10 for SQL Server 2012 SP2.

Note: KB3120313 will now install the last CU released for 2012 SP2 (CU16 - KB3205054, which includes TLS 1.2 support as well as all hotfixes released to date). If needed, CU1 is available in Windows Update Catalog.

Note: TLS 1.2 support is also available in 2012 SP3 and 2012 SP4.

KB3052404  - FIX: You cannot use the Transport Layer Security protocol version 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012

SQL Server 2008 R2 SP3 (x86/x64 only)

10.50.6542.0

SP3 TLS 1.2 Update

TLS 1.2 Support is available in the latest cumulative update for SQL Server 2008 R2 SP3 – KB4057113.

SQL Server 2008 R2 SP2 GDR (IA-64 only)

10.50.4047.0

SP2 TLS 1.2 Update

SQL Server 2008 R2 SP2 GDR (IA-64) TLS 1.2 Updates

SQL Server 2008 R2 SP2 CU (IA-64 only)

10.50.4344.0

SP2 TLS 1.2 Update

SQL Server 2008 R2 SP2 GDR (IA-64) TLS 1.2 Updates

SQL Server 2008 SP4

(x86/x64 only)

10.0.6547.0

SP4 TLS 1.2 Update

TLS 1.2 Support is available in the latest cumulative update for SQL Server 2008 SP4 – KB4057114 . (x86/x64 only)

SQL Server 2008 SP3 GDR (IA-64 only)

10.0.5545.0

SP3 TLS 1.2 Update

SQL Server 2008 SP3 GDR (IA-64) TLS 1.2 Updates

SQL Server 2008 SP3 CU (IA-64 only)

10.0.5896.0

SP3 TLS 1.2 Update

SQL Server 2008 SP3 CU (IA-64) TLS 1.2 Updates

Client component downloads

Use the following table to download the client components and driver updates that are applicable to your environment.

Client component /driver

Updates with TLS 1.2 support

SQL Server Native Client 10.0 for SQL Server 2008/2008 R2 (x86/x64/IA64)

Microsoft SQL Server 2008 and SQL Server 2008 R2 Native Client

SQL Server Native Client 11.0 for SQL Server 2012/2014 (x86/x64)

Microsoft SQL Server 2012 Native Client - QFE

Additional fixes needed for SQL Server to use TLS 1.2

You have to install the following .NET hotfix rollups to enable SQL Server features like Database Mail and certain SSIS components that use .NET endpoints which require TLS 1.2 support like the Web Service task to use TLS 1.2.

Operating System

.NET Framework version

Updates with TLS 1.2 support

Windows 7 Service Pack 1, Windows 2008 R2 Service Pack 1

3.5 .1

Support for TLS v1.2 included in the .NET Framework version 3.5.1

Windows 8 RTM, Windows 2012 RTM

3.5

Support for TLS v1.2 included in the .NET Framework version 3.5

Windows 8.1, Windows 2012 R2 SP1

3.5 SP1

Support for TLS v1.2 included in the .NET Framework version 3.5 SP1 on Windows 8.1 and Windows Server 2012 R2

Frequently asked questions

Is TLS 1.1 supported on SQL Server 2016 and later versions?

Yes. SQL Server 2016, SQL Server 2017 on Windows, and SQL Server 2019 on Windows versions ship with TLS 1.0 to TLS 1.2 support. You have to disable TLS 1.0 and 1.1 if you want to use only TLS 1.2 for client-server communication.

Does SQL Server 2019 permit connections using TLS 1.0 or 1.1, or only 1.2?

SQL Server 2019 has the same level of support as SQL Server 2016 and SQL Server 2017, and SQL Server 2019 supports older versions of TLS. SQL Server 2019 RTM is shipped with TLS 1.2 support and no additional update/fix is required to enable TLS 1.2 support.

Is TDS affected by known vulnerabilities?

No known vulnerabilities have been reported for the Microsoft TDS implementation. Because several standards-enforcement organizations are mandating the use of TLS 1.2 for encrypted communication channels, Microsoft is releasing the support for TLS 1.2 for the widespread SQL Server installation base.

How will the TLS 1.2 updates be distributed to customers?

This article provides download links for the appropriate server and client updates that support TLS 1.2.

Will SQL Server 2005 be supported for TLS 1.2?

TLS 1.2 support is offered only for SQL Server 2008 and later versions.

Are customers who are not using SSL/TLS affected if SSL 3.0 and TLS 1.0 are disabled on the server?

Yes. SQL Server encrypts the username and password during login even if a secure communication channel is not being used. This update is required for all SQL Server instances that are not using secure communications and that have all other protocols except TLS 1.2 disabled on the server.

Which versions of Windows Server support TLS 1.2?

Windows Server 2008 R2 and later versions support TLS 1.2.

What is the correct registry setting to enable TLS 1.2 for SQL Server communication? The correct registry settings are as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001  

These settings are required for both server and client computers. The DisabledByDefault and Enabled settings are required to be created on Windows 7 clients and Windows Server 2008 R2 servers. On Windows 8 and later versions of the client operating systems or Windows Server 2012 server and later versions of the server operating systems, TLS 1.2 should already be enabled. If you are implementing a deployment policy for Windows Registry which needs to be independent of the OS release, then we recommend adding the mentioned registry keys to the policy.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!

×