Hero Banner

Data & AI Partner Community

Latest information on Microsoft’s hybrid data and AI platform


Do you know Extended Security Updates work for SQL Server 2008/R2?

The end of support for SQL Server 2008 and 2008 R2 that reached it's deadline on July 9th opens a great opportunity to engage with our customers to drive roader Data Estate Modernization conversations that can lead to n.ew Azure Migration and Innovation engagements.


SQL Server migrations to Azure is solely the biggest opportunity there is for our Data & AI business and the motion didn’t stop on July, 09th. If after selling the value of modernizing with Azure SQL Database, Azure SQL Server 2017 & 2019 VMs and SQL Server 2017 & 2019, your customer is not ready to move from 2008, Microsoft offers the option of having three additional years of Extended Security Updates. This option is free in Azure SQL Server 2008 VMs and paid for on-premises deployments.


Please, find below the detailed guidance of how critical updates will be delivered to customers that choose to stay in SQL Server 2008/R2 with Extended Security Updates.


SQL Server 2008/R2 Extended Security Updates


Definition of critical updates through Extended Security Updates

An ESU for SQL Server is essentially a GDR. See GDR definition.


It's important to note that ESUs will be made available as needed, only if a security issue is found with SQL Server 2008/8R2 versions and MSR deems it a Critical update.


The Microsoft SQL Server Product Team doesn’t ship patch application software. This team creates the patches and upload the patch files. Customers can choose to run a patch manually or through other automation tools like WSUS, SCCM or third party patching tools or other automation tools. We don’t provide guidance on this. Here’s a reference.


As a Microsoft Partner, you should incentivize customer that chooses ESUs to subscribe to patch release notifications through aka.ms/sqlreleases or work with their technical teams to be informed about the updates.


How will critical updates be delivered?


SQL Server 2008/R2 running on Windows Server 2008/2008 R2 on Azure Virtual Machines

Customers will receive updates automatically through existing SQL Server automatic update channels. If an Azure Virtual Machine is not configured to receive automatic updates, then the on-premises download option applies.


SQL Server 2008/R2 running on Windows Server 2008/2008 R2 on-premises

Customers who purchase Extended Security Updates for on-premises use will be able to download patches from the Azure portal, and then deploy that update package to their on-premises environment such as with any other SQL Server update. This is also the process that customers will need to follow for disconnected Azure Stack.


SQL Server patches don’t require an activation key to block unauthorized or unlicensed installs: as such will be using the Azure portal to distribute any future security update packages to eligible customers, because it is already gated by the customer’s Azure subscription. To be able to access the download link from the Azure subscription, a customer will need to register the SQL Server instances for which Extended Security Updates (ESUs) were purchased. See the registration details further below.


While it’s understood the registration step might be seen as a friction point, we understand paying customers would be more upset if the patch they had paid for was freely available to all in the public Microsoft Download Center. Given the PII, GDPR, and other legal requirements, it is an effective cost management mechanism for us to gate access to ESUs through Azure subscriptions. Business Planning and Finance require that Microsoft offers a gating mechanism to ensure that customers that are not paying for ESUs don’t get access. Registering and downloading the security update through the Azure portal is the most secure and compliant way to implement it. We recommend that you position this decision, in case customers have questions, reinforcing the Azure portal unique value proposition, as being a secure website which has the necessary controls to validate the access and download the security update.


After a customer downloads the security update package, the patching process for SQL Server is not different from what customers have today. ESUs for SQL Server does not ship specific patching software – is it an update package like any other that exists today for any in-market version of SQL Server. SQL Server ESU patches can be installed by customers using whatever update management tools they use today, such as Windows Server Update Services (WSUS) or System Center, third-party update management software, or custom deployment scripts.


Microsoft recommends applying Extended Security Update patches as soon as they are available in order to keep a SQL Server environment protected. For specific questions about instance registration and download process, please contact your Microsoft Technical Account Manager or Support resource. 


SQL Server Azure Portal Registration

There will be two ways of registering ESU instances:

  1. Manually, through a simple Azure portal form
  2. Bulk, by uploading a CSV file.
    1. Microsoft will provide a T-SQL and Powershell script example to collect the required data into a CSV-like format, and can execute the script on any ESU instance.
    2. For customers that already run inventory software will likely extract the necessary data fields from that source.

The ESU instance registration has following mandatory data input fields:

  • SQL Server instance name formatted as <server_name>\<instance_name>. This is the output of the T-SQL function @@SERVERNAME.
  • SQL Server Version. Only 2008 and 2008 R2 can register for ESUs.
  • SQL Server Edition. Only Standard Edition and Enterprise Edition can register for ESUs.
  • # of licensed cores. ESU licensing aligns with the current SQL Server licensing, even though the underlying SQL Server instance can use only Processor or Server + CAL license. When customers purchase ESU they report virtual cores – these are either physical cores (if non-Hyperthreaded), Hyperthreaded cores, or vCores in a virtualized environment (includes IaaS).
  • Host Type. Virtual Machine, Physical server, Azure Virtual Machine.


Learn More here: detailed step-by-step instructions on how to register ESU instances using the methods above, and how to download ESU patches, if and when they become available for SQL Server 2008 and 2008 R2 (post EOS date: July-9 2019).