Security Update for SQL Server 2016 SP1 (KB4458842)

Executing a specially crafted query involving calculating difference between values of different date types and aggregation of the results, could lead to stack corruption, if the query runs in batch mode. Depending on particular values processed by such query, this could lead to terminating the SQL Server process, or a possibility of remote code execution. More information about the vulnerability can be found here: SQL Server 2016 SP1

The original update for this security vulnerability, KB4293801 released on August 14, 2018, introduced an issue where the sqlceip.exe process experiences an unhandled exception. For this reason, the update has been replaced. If you have previously applied KB4293801, it is recommended that you install KB4458842 as soon as possible. For other impacted SQL Server releases, please see:

Security Update for SQL Server 2016 SP1 CU(CU10+GDR)*
Security Update for SQL Server 2016 SP1 GDR
Security Update for SQL Server 2016 SP2 CU (CU2+GDR)*
Security Update for SQL Server 2016 SP2 GDR
Security Update for SQL Server 2017 RTM CU (CU9+GDR)*
Security Update for SQL Server 2017 RTM GDR
* These security updates are for SQL Server instances that have applied a Cumulative Update.

For a complete listing of the issues resolved in this update, see the associated Microsoft Knowledge Base article.

Supported Operating Systems

Windows 10, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

This update is applicable to SQL Server 2016 SP1 instances installed on supported Windows Operating System.

This update refreshes Microsoft SQL Server 2016 SP1 (versions 13.0.4001.0 to 13.0.4223.10) that have not had a Cumulative Update applied.
For Microsoft SQL Server 2016 SP1 instances that have had any Cumulative Update applied (versions 13.0.4411.0(CU1) to 13.0.4514.0(CU10), please see 2016 SP1 CU. After you install this update, you may have to restart your computer.