Security Update for SQL Server 2022 RTM CU24
The Security Update for SQL Server 2022 RTM CU24 is now available for download at the Microsoft Download Center and Microsoft Update Catalog sites. This package cumulatively includes all previous security fixes for SQL Server 2022 RTM CUs, plus it includes the new security fixes detailed in the KB Article. Security Bulletins: CVE-2026-40370 - Security Update Guide - Microsoft - Microsoft SQL Server Denial of Service Vulnerability Security Update of SQL Server 2022 RTM CU24 KB Article: KB5089900 Microsoft Download Center: https://www.microsoft.com/download/details.aspx?familyid=34ec989d-5c02-41b7-99ec-f2c35c7a4cdf Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=5089900 Latest Updates for Microsoft SQL Server: https://learn.microsoft.com/en-us/troubleshoot/sql/releases/download-and-install-latest-updatesSecurity Update for SQL Server 2022 RTM
The Security Update for SQL Server 2022 RTM GDR is now available for download at the Microsoft Download Center and Microsoft Update Catalog sites. This package cumulatively includes all previous security fixes for SQL Server 2022 RTM, plus it includes the new security fixes detailed in the KB Article. Security Bulletins: CVE-2026-40370 - Security Update Guide - Microsoft - Microsoft SQL Server Denial of Service Vulnerability Security Update of SQL Server 2022 RTM GDR KB Article: KB5091158 Microsoft Download Center: https://www.microsoft.com/download/details.aspx?familyid=9edbb614-c56a-4c5a-b4dc-157d4036f44c Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=5091158 Latest Updates for Microsoft SQL Server: https://learn.microsoft.com/en-us/troubleshoot/sql/releases/download-and-install-latest-updates
Microsoft ODBC Driver 17.11.1 for SQL Server Released
We are pleased to announce the general availability of Microsoft ODBC Driver 17.11.1 for SQL Server, released on April 30, 2026. This servicing update delivers important bug fixes and expands Linux platform support. Key Highlights Stability and correctness fixes for parameter array processing, including accurate updates to SQL_ATTR_PARAMS_PROCESSED_PTR and improved row counting when SQL_PARAM_IGNORE is used in parameter arrays. Fixed a connection error that could occur when processing Data Classification metadata in ODBC asynchronous mode. Updated RPM packaging rules to allow installation of multiple driver versions side by side. Corrected XA recovery to ensure proper computation of transaction IDs and recovery of missing transactions. Debian package installation now honors license acceptance for successful completion. New Platform Support Platform Versions macOS 14, 15, 26 Debian 13 Red Hat Enterprise Linux 10 Oracle Linux 9, 10 SUSE Linux Enterprise Server 16 Ubuntu 24.04, 25.10 Alpine Linux 3.21, 3.22, 3.23 Download The driver is available for download from the Microsoft ODBC Driver for SQL Server documentation page. Linux Installation Install or update using your distribution's package manager: Debian/Ubuntu: sudo apt-get update sudo apt-get install msodbcsql17 Red Hat/Oracle Linux: sudo yum install msodbcsql17 SUSE: sudo zypper install msodbcsql17 Alpine: sudo apk add msodbcsql17 Feedback We welcome your feedback. Please report issues on the SQL Server feedback site or open an issue on the ODBC Driver GitHub repository.go-mssqldb v1.10.0: Better Reliability, Developer Experience, and Standards Compliance
We're excited to announce the release of go-mssqldb v1.10.0, the official Microsoft Go driver for SQL Server and Azure SQL Database. This release brings significant reliability improvements, better standards compliance, and a smoother developer onboarding experience. Highlights Detect Server-Aborted Transactions (XACT_ABORT) One of the most impactful fixes in this release addresses a subtle but dangerous bug: when SQL Server aborts a transaction due to XACT_ABORT ON, the driver now correctly detects this state. Previously, a silently aborted transaction could lead to subsequent statements being auto-committed outside the intended transaction boundary, potentially causing data integrity issues. The driver now returns a clear error when you attempt to use a connection whose transaction was server-aborted. (#370) Implement driver.DriverContext Interface The driver now implements Go's driver.DriverContext interface, enabling sql.OpenDB-style usage and better integration with connection pool configuration via sql.DB.SetConnMaxLifetime, SetMaxOpenConns, etc. This brings the driver in line with modern Go database/sql conventions. (#365) Surface Errors from Rows.Close() Previously, server errors that occurred during the token drain phase of Rows.Close() were silently swallowed. Now these errors are properly surfaced to callers, making it much easier to diagnose issues like permission errors or constraint violations that manifest during result set cleanup. (#361) Nullable Civil Types for Date/Time Parameters New nullable types (civil.NullDate, civil.NullTime, civil.NullDateTime) allow you to pass nullable date/time parameters without resorting to *time.Time or raw interface{} values. These integrate cleanly with the database/sql scanner and valuer interfaces. (#325) DevContainer for Instant Development Getting started with go-mssqldb development is now as simple as opening the repo in VS Code or GitHub Codespaces. The new devcontainer configuration includes a SQL Server instance, pre-configured environment variables, and all required tooling. (#317) All Changes Features Add devcontainer for VS Code and GitHub Codespaces (#317) Add FailoverPartnerSPN connection string parameter (#327) Add NewConnectorWithProcessQueryText for mssql driver compatibility (#341) Add nullable civil types for date/time parameters (#325) Bug Fixes Allow named pipe protocol support for ARM64 Windows (#232) Detect server-aborted transactions to prevent silent auto-commit with XACT_ABORT (#370) Expose TrustServerCertificate in msdsn.Config and URL round-trip (#312) Handle COLINFO and TABNAME TDS tokens returned by tables with triggers (#343) Implement driver.DriverContext interface (#365) Make readCancelConfirmation respect context cancellation (#359) Return interface{} scanType for sql_variant instead of nil (#362) Sanitize credentials from connection string parsing errors (#319) Surface server errors from Rows.Close() during token drain (#361) Upgrade go get github.com/microsoft/go-mssqldb@v1.10.0 This release requires Go 1.21+ and is fully compatible with SQL Server 2012 through 2022 and Azure SQL Database. Contributing We welcome contributions! The new devcontainer makes it easier than ever to get started. Open the repo in VS Code, reopen in the container, and you'll have a full development environment with SQL Server ready to go. GitHub Repository Documentation Report IssuesAnnouncing Microsoft.Data.SqlClient 6.1.5
We are pleased to announce the release of Microsoft.Data.SqlClient 6.1.5, the latest servicing update to the 6.1 line. This update focuses on connection performance, error propagation, and vector type metadata correctness. Install or update from NuGet: dotnet add package Microsoft.Data.SqlClient --version 6.1.5 Full release notes: 6.1.5 Release Notes What's in this release Faster connection opens for non-integrated authentication on native SNI A regression caused SPN (Service Principal Name) generation to run for non-integrated authentication modes, such as SQL authentication, on the native SNI path. That triggered unnecessary DNS lookups and could significantly slow down connection opens. This fix restores the expected behavior for affected .NET applications on Windows. (#3523, #3946) ExecuteScalar now propagates post-row server errors ExecuteScalar could previously hide errors when SQL Server returned row data followed by an error token. In those cases, errors such as conversion failures during WHERE clause evaluation were consumed during SqlDataReader.Close() instead of being thrown to the caller, which could leave transactions unexpectedly zombied. This fix ensures the error is surfaced correctly to application code. (#3736, #3947) Correct metadata type for vector float32 columns SqlDataReader.GetFieldType() and GetProviderSpecificFieldType() now return the correct type, SqlVector<float>, for vector float32 columns. Previously these APIs returned metadata that did not match the type-resolution behavior used by GetValue(). (#4104, #4151) Getting started If you are new to Microsoft.Data.SqlClient, check out the introduction documentation. For users of System.Data.SqlClient, please move migrate to Microsoft.Data.SqlClient now. See the porting cheat sheet. If you encounter any issues, please report them on the GitHub repository.Announcing Microsoft Drivers 5.13.1 for PHP for SQL Server
Announcing Microsoft Drivers 5.13.1 for PHP for SQL Server We have released Microsoft Drivers 5.13.1 for PHP for SQL Server (sqlsrv and pdo_sqlsrv). This patch release addresses several important bug fixes, including a security fix for access token handling in pooled connections and multiple stability improvements. Bug Fixes Access token identity leaking across pooled connections When using access token authentication with connection pooling, connections with different tokens could share the same pool entry, causing identity cross-contamination and use-after-free. This release properly incorporates the access token into the connection pool key, ensuring connections are only reused when the token matches. (#1592, fixes #1396) Prepared statement silently failing on insert A prepared INSERT statement could silently fail when triggers or SET NOCOUNT OFF produce extra result sets, causing an implicit transaction rollback with MARS enabled. The driver now correctly handles this scenario. (#1590) Fatal error re-executing prepared statements with varying result sets Re-executing a prepared statement that returns multiple result sets with different column layouts could cause a fatal error. Metadata entries are now properly freed, and the internal vector is cleared between executions. (#1596) sqlsrv_errors() returning null after failed connection When a connection attempt failed and ODBC provided no diagnostic records, sqlsrv_errors() would return null instead of surfacing the error. Connection failures now consistently report the underlying error. (#1595) Stream becoming invalid when statement goes out of scope A binary stream could become invalid when the originating statement went out of scope, leading to undefined behavior or crashes. The driver now properly invalidates streams when their parent statement is destroyed. (#1598, fixes #1443) Installation PECL (Linux/macOS) sudo pecl install sqlsrv sudo pecl install pdo_sqlsrv Windows Download the prebuilt binaries from the GitHub Releases page and follow the loading instructions. Prerequisites ODBC Driver: Microsoft ODBC Driver 17 or 18 for SQL Server PHP: 8.3, 8.4, or 8.5 For detailed platform-specific installation steps, see the Linux and macOS installation guide. Upgrading from 5.13.0 This is a drop-in hotfix release. No API changes, no configuration changes. Update via PECL or replace the DLLs on Windows. If you are using access token authentication with connection pooling, we strongly recommend upgrading to this release. Resources GitHub Repository Official Documentation PECL sqlsrv PECL pdo_sqlsrv Release Notes (CHANGELOG) Report Issues Feedback We welcome your feedback and contributions. Please file issues, feature requests and pull requests on our GitHub Issues page.Announcing Microsoft.Data.SqlClient 7.0.1
We are pleased to announce the release of Microsoft.Data.SqlClient 7.0.1, the first servicing update to the 7.0 line. This patch addresses several compatibility fixes reported by the community after the 7.0.0 GA release. Install or update from NuGet: dotnet add package Microsoft.Data.SqlClient --version 7.0.1 Full release notes: 7.0.1 Release Notes What's in this release SqlBulkCopy fixes for SQL Server 2016 and Azure Synapse Two separate issues affected SqlBulkCopy on older or specialized SQL Server engines: SQL Server 2016 compatibility -- SqlBulkCopy operations failed with Invalid column name 'graph_type' because the column metadata query referenced a column introduced in SQL Server 2017. The query now uses dynamic SQL so the graph_type reference is not compiled on versions that lack the column. (#3714) Azure Synapse dedicated SQL pools -- The column-list query used a variable-assignment pattern that Synapse does not support. The driver now detects Synapse (engine edition 6) and uses STRING_AGG instead, while preserving the variable-assignment fallback for SQL Server 2016 compatibility. (#4149) Vector column type metadata SqlDataReader.GetFieldType() and GetProviderSpecificFieldType() previously returned typeof(byte[]) for vector float32 columns instead of typeof(SqlVector<float>). These methods now follow the same type-determination logic as GetValue(), returning the correct vector type. (#4104) Missing System.Data.Common dependency on .NET Framework The inbox System.Data.Common assembly on .NET Framework predates APIs such as IDbColumnSchemaGenerator. Without the NuGet package dependency, consumers hit CS0012 compilation errors when using these types through Microsoft.Data.SqlClient. The package now explicitly depends on System.Data.Common v4.3.0 for .NET Framework targets. (#4063) User Agent TDS extension enabled unconditionally The Switch.Microsoft.Data.SqlClient.EnableUserAgent AppContext switch has been removed. The driver now always sends User Agent information during login. (#4124) Type forwards for extracted Azure authentication types Type forwards have been added from the core Microsoft.Data.SqlClient assembly to public types that moved to the Microsoft.Data.SqlClient.Extensions.Abstractions package in 7.0.0: SqlAuthenticationMethod, SqlAuthenticationParameters, SqlAuthenticationProvider, SqlAuthenticationProviderException, and SqlAuthenticationToken. This ensures binary compatibility for assemblies compiled against earlier versions of Microsoft.Data.SqlClient. (#4067) Community contributions Both of the SqlBulkCopy fixes in this release were driven by community contributor edwardneal: SQL Server 2016 fix -- Edward authored the original PR (#3719) that rewrote the column metadata query to use dynamic SQL, preventing the graph_type column reference from being compiled on servers that lack it. The fix was recreated on an internal branch (#4092) to enable CI pipeline testing against SQL Server 2016 and 2017. Azure Synapse fix -- Edward identified and fixed (#4176) the incompatibility with Azure Synapse dedicated SQL pools, where the variable-assignment concatenation pattern used to build the column list is not supported. His fix detects Synapse via SERVERPROPERTY('EngineEdition') and switches to STRING_AGG, while preserving the variable-assignment fallback for SQL Server 2016. He manually validated the fix against SQL Server 2016, SQL Server 2025, and an Azure Synapse dedicated SQL pool. We are grateful for Edward's continued contributions to SqlClient. Community involvement like this directly improves the experience for all SqlClient users. Getting started If you are new to Microsoft.Data.SqlClient, check out the documentation. For users of System.Data.SqlClient, see the porting cheat sheet. If you encounter any issues, please report them on the GitHub repository.mssql-python 1.6: Unblocking Your Threads
The last two mssql-python releases shipped big features: Bulk Copy in 1.4 for high-throughput data loading, and Apache Arrow in 1.5 for zero-copy analytics. Version 1.6 is about what happens next: you take those features into production, scale up your thread pool, and find out where the driver was quietly holding you back. This release unblocks your threads during connection setup, fixes crashes and incorrect results in common cursor patterns, and hardens security for passwords with special characters and log file paths. pip install --upgrade mssql-python Your threads can run while connections are opening If you're running mssql-python behind Flask, FastAPI, Django, or any WSGI/ASGI server with thread-based workers, this one matters. Opening a database connection is slow. There's DNS resolution, a TCP handshake, TLS negotiation, and SQL Server authentication. In previous versions, every other Python thread in your process was frozen while that happened, because the driver held the Global Interpreter Lock (GIL) during the entire operation. One thread opening a connection meant no other thread could serve requests, process data, or do anything at all. Version 1.6 releases the GIL during connect and disconnect. Your other threads keep running while the network round-trip completes. If you have a multi-threaded web server handling concurrent requests, this removes a serialization bottleneck you may not have realized you had. The connection pool was also reworked to stay safe under this change. Previously, the pool held an internal lock while calling connect, which would have created a deadlock now that connect releases the GIL. The pool now reserves a slot first, connects outside the lock, and rolls back the reservation if the connection fails. Decimal parameters work with setinputsizes If you use cursor.setinputsizes() to declare parameter types for performance-sensitive batch inserts, you may have hit a crash when specifying SQL_DECIMAL or SQL_NUMERIC. This is fixed. Decimal values now bind correctly whether you're using execute() or executemany(): cursor.setinputsizes([ (mssql_python.SQL_WVARCHAR, 100, 0), (mssql_python.SQL_INTEGER, 0, 0), (mssql_python.SQL_DECIMAL, 18, 2), ]) cursor.executemany( "INSERT INTO Products (Name, CategoryID, Price) VALUES (?, ?, ?)", [ ("Widget", 1, Decimal("19.99")), ("Gadget", 2, Decimal("29.99")), ], ) Iterating catalog results with fetchone() If you've used cursor.tables(), cursor.columns(), or other catalog methods and tried to walk the results with fetchone(), you may have gotten incorrect data. Row tracking was broken for catalog result sets. This now works the way you'd expect: cursor.tables(tableType="TABLE") while True: row = cursor.fetchone() if row is None: break print(row.table_name) This also applies to primaryKeys(), foreignKeys(), statistics(), procedures(), and getTypeInfo(). Reusing prepared statements without reset If you call cursor.execute() with reset_cursor=False to reuse a prepared statement across calls, this no longer raises an "Invalid cursor state" error. Passwords with special characters stay masked in logs If your SQL Server password contains semicolons, braces, or other ODBC-special characters (e.g., PWD={Top;Secret}), previous versions could accidentally leak part of it in sanitized log output. The password masking logic has been rewritten to correctly handle all ODBC connection string formats. If the connection string can't be parsed at all, the entire string is now redacted rather than partially exposed. The logging system also now rejects log file paths that attempt directory traversal, preventing setup_logging(log_file_path="../../somewhere/else.log") from writing outside the intended directory. Better type checker support for executemany If your type checker flagged executemany() when you passed dictionaries as parameter rows, that warning is gone. The type annotations now correctly accept Mapping types, matching the DB API 2.0 spec for named parameters. Get started pip install --upgrade mssql-python For questions or issues, file them on GitHub or email mssql-python@microsoft.com.mssql-django 1.7.1: Microsoft Fabric Support and Migration Fixes
We just shipped mssql-django 1.7.1 with two fixes that matter if you're running Django on Microsoft Fabric or using descending indexes in your migrations. JSONField Now Works on Microsoft Fabric SQL Database in Microsoft Fabric reports itself as EngineEdition 12, which our backend didn't previously recognize. The result: JSONField queries, hash functions, collation introspection, and test teardown all broke on Fabric because the backend couldn't correctly identify the server capabilities. In 1.7.1, we added full detection for Fabric's engine edition. The backend now correctly treats Fabric as an Azure SQL-class database, which means JSONField, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, and collation-dependent lookups all work as expected. We also combined the ProductVersion and EngineEdition queries into a single round trip, so connection setup is faster too. If you've been waiting to use Django with SQL Database in Microsoft Fabric, this is the release that makes it work. Descending Index Migrations No Longer Crash If you had a model with a descending index and ran an AlterField migration on one of the indexed columns, Django would crash with FieldDoesNotExist. The issue was in how our schema editor looked up fields during index reconstruction: it was reading index.fields (which only contains field names for simple indexes) instead of index.fields_orders (which correctly handles the (field_name, order) tuples that descending indexes use). This was a one-line fix, but it blocked anyone whose migrations touched fields covered by descending indexes. If you've been working around this, upgrade and your migrations will run cleanly. SQL Server 2025 in CI We upgraded our Windows CI pipeline to run against SQL Server 2025, so every commit is now tested against the latest version. Combined with our existing coverage across SQL Server 2016-2022, Azure SQL Database, Azure SQL Managed Instance, and now Microsoft Fabric, you can be confident the backend works across the full Microsoft data platform. Upgrade pip install --upgrade mssql-django Full compatibility: Component Supported Django 3.2, 4.0, 4.1, 4.2, 5.0, 5.1, 5.2, 6.0 Python 3.8 - 3.14 (Django 6.0 requires 3.12+) SQL Server 2016, 2017, 2019, 2022, 2025 Azure SQL Database, Managed Instance, SQL Database in Fabric ODBC Driver Microsoft ODBC Driver 17 or 18 Questions, bugs, or contributions? Find us on GitHub. mssql-django is open source under the BSD license. Built and maintained by Microsoft.Security Update for SQL Server 2022 RTM CU24
The Security Update for SQL Server 2022 RTM CU24 is now available for download at the Microsoft Download Center and Microsoft Update Catalog sites. This package cumulatively includes all previous security fixes for SQL Server 2022 RTM CUs, plus it includes the new security fixes detailed in the KB Article. Security Bulletins: CVE-2026-32176 - Security Update Guide - Microsoft - Microsoft SQL Server Denial of Service Vulnerability Security Update of SQL Server 2022 RTM CU24 KB Article: KB5083252 Microsoft Download Center: https://www.microsoft.com/download/details.aspx?familyid=45a0147b-2806-40f7-955e-834cda4aea11 Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=5083252 Latest Updates for Microsoft SQL Server: https://learn.microsoft.com/en-us/troubleshoot/sql/releases/download-and-install-latest-updates