1

If you disable TLS 1.0 and SSL 3.0 for PCI, SQL Server will stop working.

SQL Server 2012 r2 out-of-the-box only supports SSL protocols up to and including TLS 1.0 by default. Unfortunately, PCI has required the obsolescence of SSL 3.0 and TLS 1.0.

Microsoft has released a hotfix for this that they will email to you the links if you request the hotfix since it is not formally a part of any update yet at https://support.microsoft.com/en-us/kb/3052404. However, the KB will offer you TWO hotfixes to choose from for the SQL Server 2012 r2 hotfix with no information that distinguishes the two different choices. 1) 2012_SP2_SNAC_CU6_3052468_11_0_5592_x64/11.0.5592.0/free/484541_intl_x64_zip.exe

OR

2) SQLServer2012_SP2_CU6_3052468_11_0_5592_/11.0.5592.0/free/484539_intl_x64_zip.exe

Which is the right one? Has anyone gone through the "experiment" of finding which one of these hotfixes is correct and for which circumstance?

Michael Barber
  • 165
  • 2
  • 3
  • 10

2 Answers2

1

The "SNAC" is typically the update for the SQL Native Client (which may be installed on either the clients and/or the SQL server). The other download is for the SQL Server. If a computer is using the SQL Native Client, the "SNAC" download would be required.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thanks Greg. I only need for TLS 1.2 so do I only need the SNAC update? Besides MDAC or Native driver support to the SQL database, I need the Enterprise Manager to work with TLS 1.2. I would like to limit the risk of going to these hotfixes that have not yet been released as a SP. – Michael Barber Nov 05 '15 at 20:01
  • Not sure about the Native Client. Not everyone uses it. When Microsoft releases a CU for SQL Server, there is often an update for the Native Client included. If you need it probably depends on the application architecture. If you only have web servers front-ending the database, it may not be required. If there are traditional Windows clients that actually have the Native Client installed, and they don't work if TLS 1.0 is disabled, you may need it. More information: https://msdn.microsoft.com/en-us/library/ms130828.aspx – Greg Askew Nov 05 '15 at 20:13
  • Ok now I understand. I use the SQL Native Client connection string as opposed to ODBC it sounds like I need it. I thought it was like a hotfix just for SQL and then one for SQL, SQL Tools, Reporting tools, and everything else. – Michael Barber Nov 05 '15 at 22:21
1

As of January 29th, Microsoft SQL Server supports TLS 1.2 for SQL Server 2008, SQL Server 2008 R2, SQL Server 2012 and SQL Server 2014 and major client drivers like Server Native Client, Microsoft ODBC Driver for SQL Server, Microsoft JDBC Driver for SQL Server and ADO.NET (SqlClient).

Blog post about the release: http://blogs.msdn.com/b/sqlreleaseservices/archive/2016/01/29/tls-1-2-support-for-sql-server-2008-2008-r2-2012-and-2014.aspx

List of builds that support TLS 1.2 along with the client and server component download locations (KB3135244): http://support.microsoft.com/kb/3135244

Amit Banerjee
  • 111
  • 2
  • `KB3135244` is the definitive document on this. But it can be summarized to, perform the latest updates on your SQL Server and make sure your clients are using the latest SQL Native Client (My peers call that the ODBC driver). Additionally, you may need to enable TLS 1.2 in the SCHANNELS (OS level) and enable secure connections in .NET. – Nathan Goings Oct 26 '20 at 15:21