K. Brian Kelley notes a slew of patches for July:
CVE-2019-1068 | Microsoft SQL Server Remote Code Execution Vulnerability
It’s a remote code exploit, but the attacker has to be connected to SQL Server because the vulnerability can only be exploited using a specially crafted query. The code would execute in the context of the database engine service account (hopefully not configured to run with administrative rights on the server or elevated rights in Active Directory).
Check this out and get it patched.