Symptoms
Assume that you use SQL Server Profiler to capture the SP:Starting and SP:Completed events in SQL Server.
When the sp_setapprole stored procedure is executed from a remote procedure call, the query statement is logged in the trace log in clear text. However, you expect it to be replaced with an obfuscated value that resembles the following:
-- 'sp_setapprole' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
Resolution
This issue is fixed in the following cumulative updates and service pack for SQL Server:
Cumulative Update 6 for SQL Server 2016 RTM
Cumulative Update 3 for SQL Server 2016 SP1
Cumulative Update 5 for SQL Server 2014 SP2
Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:
Latest cumulative update for SQL Server 2016
Service pack information for SQL Server 2016
This issue is fixed in the following service pack for SQL Server:
Service packs are cumulative. Each new service pack contains all the fixes that are in previous service packs, together with any new fixes. Our recommendation is to apply the latest service pack and the latest cumulative update for that service pack. You do not have to install a previous service pack before you install the latest service pack. Use Table 1 in the following article for finding more information about the latest service pack and latest cumulative update.
How to determine the version, edition and update level of SQL Server and its components
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.