Rebecca Lewis digs into an important patch:
Yesterday was Patch Tuesday, and this month we’ve got a good one. CVE-2026-21262 was already publicly disclosed before Microsoft shipped the fix – and it lets an authenticated SQL Server user escalate straight to sysadmin. SQL Server 2016 through 2025, Windows and Linux. No physical access required. No user interaction required. Just a valid login and a network path to your instance. Go patch!
If you’re a SQL Server DBA or consultant and you’re reading this before patching, stop reading and go patch.
Read on for more information about the vulnerability and how to make sure you’re on the latest CU or GDR for SQL Server.
Also, the fact that there are fixes going back to 2016 doesn’t mean that 2014 and earlier are fine. It just means that Microsoft is serious about not patching versions 10+ years out of date.