0

I'm looking for advice or recommendations on what should be done with the "Setup" program installed during the installation of SQL Server 2019 or 2022. After installation, can/should the Setup be removed or updated at any point?

Microsoft Defender Vulnerability Management is showing that one of our servers that has SQL Server 2019 has 14 vulnerabilities related to SQL Server 2019 being out of date. In Defender under "Inventory", it's saying we're using SQL Server 2019 version 15.0.4013.40. It lists the "evidence" of this version, or how it knows the version, as the registry key of the "Microsoft SQL Server 2019 Setup (English)" program, which is installed at C:\SQL2019.

If I run "SELECT @@VERSION" in SSMS, I can see that we're running the RTM-GDR version 15.0.2101.7. This appears to be the latest security release.

So, it's seeing an old version of the SQL Server Setup program and tying the vulnerabilities to that. This could be an issue with how Defender is accounting for SQL Server, but I want to make sure I'm not missing anything here.

The Microsoft SQL programs listed as being installed are:

  • Microsoft SQL Server 2019 (64-bit)
  • Microsoft SQL Server 2019 Setup (English)
  • Microsoft SQL Server 2019 T-SQL Language Service
  • Microsoft SQL Server Management Studio - 18.12.1

When I try to uninstall the Microsoft SQL Server 2019 Setup (English) entry via Control Panel, I receive this error:

Warning 26003: Microsoft SQL Server 2019 Setup Support Files cannot be uninstalled because the following products are installed:

  • SQL Server 2019 Client Tools Extensions
  • SQL Server 2019 Client Tools Extensions
  • SQL Server 2019 XEvent
  • SQL Server 2019 XEvent
  • SQL Server 2019 Common Files
  • SQL Server 2019 Database Engine Shared
  • SQL Server 2019 Client Tools
  • Microsoft SQL Server 2019 RsFx Driver
  • SQL Server 2019 Database Engine Services
hh_trj
  • 1
  • 1
  • `Microsoft SQL Server 2019 (64-bit)` - this means you _do_ have an instance of SQL Server installed, it's just not the one you're connecting to and running `@@VERSION` against. Did you upgrade or install side-by-side? If you open SQL Server 2022 Configuration Manager and look at SQL Server Services, I bet you have more than one instance installed... – Aaron Bertrand Jun 26 '23 at 20:38
  • 2
    You can also just, I don't know, apply the latest SQL Server 2019 cumulative update to that machine, which will make Defender be quiet without actually potentially removing software that someone else might be relying on. – Aaron Bertrand Jun 26 '23 at 20:52
  • SQL Server Configuration Manager shows a single instance. This was a fresh SQL Server 2019 installation on a fresh Windows Server 2022 installation. We are using the GDR updates instead of the CUs, but either way, even with the CUs, they don't update the actual version of the "SQL Server 2019 Setup" program (the installation wizard), do they? I would still be in the same predicament with an outdated "Setup" program showing as installed. – hh_trj Jun 26 '23 at 21:38
  • [Updated to clarify terminology]. Based on naming I do not think that "SQL Server 2019 Setup" refers to setup media. It sounds more like shared resources i.e. "Setup Support Files " used by various SQL Server products and services. The "C:\SQL2019" directory, provided it contains setup.exe and directories such as: redist, resources, Tools, x64 etc. is just a "setup media" location and can be safely deleted. You can always re-download it later. – Alex Jun 27 '23 at 06:21

0 Answers0