http://www.microsoft.com/en-us/download/details.aspx?id=44618

This week Microsoft released a number of security updates this week to patch an issue with schannel as described in this article:  When the update is installed to a server running Microsoft SQL Server (So far, confirmed as issue with SQL Server 2008 R2, SQL Server 2012, SQL Server 2014) client applications that access the database via ODBC such as Microsoft Access clients pointing to SQL Tables encounter a major performance hit.

https://technet.microsoft.com/library/security/MS14-066

Our customers are reporting that this security update causes MAJOR performance problems in any Microsoft Access application with a SQL Server backend (any version).  For example, a simple operation such as clicking from one line of an order to another (without performing ANY data updates) can take from 5 to 15 seconds!  For users having to update hundreds of lines of orders, the application becomes nearly unusable – an activity that used to take 5 minutes could take hours.to complete.

Please, if you have not installed this update yet – DO NOT INSTALL IT to the SQL Server machine (it can be installed to clients or other servers).

If you have installed the update and are experiencing this issue, please remove the following specific update from the computer running Microsoft SQL Server to get your system back to performing normally:

Click Start, then type: “Update”, click “View installed updates”

clip_image002

In the list of updates scroll down until you find the list of updates installed recently (your exact date may differ).  Select “Security Update for Microsoft Windows (KB2992611)” and click Uninstall.  After a reboot application performance restores to normal.

image

As of November 13th at 11:49 AM we know that if you select each one of these under this group, and uninstall, then reboot that performance returns to normal.

KB3010788, KB3008627, KB3006226, KB3005607, KB3003743, KB3003057, KB3002885, KB2993958, KB2992611, KB2991963, KB2978120

Update: as of 2014-11-13 3:20PM our most recent test looks like it may only be KB2992611 as the root cause of this performance problem.  The client machine does not appear to have to have the update removed.

Update: as of 2014-11-13 5:00PM we have a case open with Microsoft to figure out the underlying performance problem.  Obviously we want our customers to be able to install security updates, but it can’t be at the expense of being able to use the software that runs your company.  I’ll post additional updates when we hear back from the Windows Team.

Update: as of 2014-11-14 1:30PM: Update from Microsoft on our open case: The SQL Team is working directly with the Windows team and have been able to reproduce performance issues.  They’ve created a specific tool to gather performance stats related to the issue and are working with one of my techs to gather the stats in our lab environment with both the patch installed and with it removed.

Update as of 2014-11-17 2:00 PM: Microsoft has completed data capture of several traces of client to server communication with the patch applied and removed.  Status: Ball in Microsoft’s court.  Waiting on analysis.

Update: Per the user comments below, this performance issue may affect any client (not just MSAccess clients) that happen to use the built-into-Windows SQL Server Driver: 

image

Put differently, you may be affected if your connection string looks like this:

Driver={SQL Server};Server=ComputerNameRunningSQL;Database=SQLDBName;Uid=SQLAuthUser;
Pwd=SQLAuthPass;

Or like this:

Driver={SQL Server};Server=ComputerNameRunningSQL;Database=SQLDBName;
Trusted_Connection=Yes;

Update: 2014-11-28 1PM – Just received this notification e-mail from Microsoft:

The following bulletins have undergone a major revision increment.

* MS14-066 – Critical

Bulletin Information:

=====================

MS14-066 – Critical

https://technet.microsoft.com/library/security/ms14-066

– Reason for Revision: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information.

– Originally posted: November 11, 2014
– Updated: November 18, 2014
– Bulletin Severity Rating: Critical
– Version: 2.0

We have not tested this yet, but will shortly. 

UPDATE: 2014-11-18 1:50PM: Part 2 of the Rev 2 patch worked!

In my example, I went back to the URL: https://technet.microsoft.com/library/security/ms14-068, selected the Windows Server 2008 R2 patch (for the test machine I was using this time I needed that one), then when I clicked download I now see a second option:
 image

Windows6.1-KB3018238-x64.msu

On installing that 2nd file listed the problem was resolved.  Performance is back to normal for this particular Windows Server 2008 R2 server with SQL installed!

UPDATE: 2014-12-01: Windows 7 SP1 No patch available.

If you are running SQL Server on your laptop for example to demo your application or as a developer we’ve discovered that there is no KB3018238 available.  Attempting to install that KB on Windows 7 simply results in an error: The update is not applicable to your computer:

image

I’ve contacted Microsoft under my original case on this issue. Their reply so far: “KB3018238 is not available in Windows 7.” – Yes, that would be the point of my call…

So for those of you who do development on Windows 7, or those of you who are salespeople with copies of your company’s ERP database installed locally are in the same situation – either do not install KB2992611 and have a working application, or do not install it, have a working application but be at risk.

Advertisements