View Full Version : MSDE 2000 and SQL vulnerability

01-27-2003, 11:45 AM
Hello, I'm delivering an application that uses the MSDE 2000 merge module. This weekend there was a big concern about a worm exploiting a vulnerability in SQL Server, discovered last summer:


Does anyone know if this vulnerability effects installations of MSDE 2000 using the install shield merge module?

If so, is there a merge module that incorporates the latest service pack for SQL Server/MSDE?

Or is it necessary to package a SQL Server updater with my application and run it after MSDE installs? for example:


thanks for your help!


01-27-2003, 03:41 PM
Wow that sounds pretty nasty! I'm afraid the MSDE 2000 merge modules we use are the ones distributed by microsoft. Until they create new merge modules that incorporate the Service Packs there is nothing we can do.

You could however run the Service Pack as part of your install. I would try launching SQL2KdeskSP3.exe as a Custom Action at the end of your setup. By this time all the MSDE 2000 stuff should be done. One way of doing this would be to:

1. Go to Setup Files View.
2. Add SQL2KdeskSP3.exe to the "English" node.
3. Create a new Exe Custom Action.
4. Set it's "Source Location" property to "File exists on Target machine".
5. Set "Folder" property to [SUPPORTDIR] (you will have to manually type this in).
4. Set "File name and COmmand Line" property to "SQL2KdeskSP3.exe".
5. Set "Invoke" property to "After Setup Complete Success" dialog.

Build and install.

01-27-2003, 04:33 PM
According to Microsoft they have released the MSDE 200 merge modules:


3.7 Install Desktop Engine SP3
The following information applies only to Desktop Engine.

The service pack for SQL Server 2000 Desktop Engine (also known as MSDE 2000) is intended for developers who create redistributable applications that use the Desktop Engine. Any instances of Desktop Engine that have been installed by a third-party application must be upgraded with a service pack supplied by the application vendor. If you are running an application that uses the Desktop Engine, contact your software provider for information about upgrading instances of the Desktop Engine that are installed by these applications. For more information, see the topic "Distributing the SQL Server 2000 Desktop Engine" in SQL Server Books Online. For information about the appropriate uses of Desktop Engine, see the Microsoft SQL Server Web site for Desktop Engine. For additional Desktop Engine SP3 installation information, see Knowledge Base article 810826.

The service pack for Desktop Engine is distributed in the following ways:

On the SQL Server 2000 Service Pack 3 CD-ROM.

Through SQL2KdeskSP3.exe. You can download this self-extracting file from the Microsoft SQL Server Downloads Web site.
Both delivery vehicles include all of the files that are required to install a new instance of Desktop Engine (.msi files), to upgrade all existing instances of Desktop Engine (.msp files), as well as to consume merge modules (.msm files) into applications. For more information, see "Distributing SQL Server Applications" in SQL Server Books Online or the Knowledge Base article 810826. You can access the article from the Microsoft Product Support Services Knowledge Base.

So when can we expect an update? Or how can we use these merge modules from Microsoft?


01-27-2003, 05:47 PM

I think SQL2KdeskSP3.exe is just an archive that contains the installer, so running it as a custom action wouldn't actually update MSDE-- it would just extract the files.

Also, this file is nearly 70 MB, bigger than my original application installer (which included the MSDE merge module), so I'd like to find a way to take the various .msi, .msp, and .msm files that are included within SQL2KdeskSP3.exe and incorporate them into my installer. Any suggestions? Thanks!


01-27-2003, 05:51 PM
I just realized that! I am currently looking in to this issue. I am pretty sure that using the msm file's in that redist should fix the problem BUT am looking in to some other related stuff as well. I'll let you two know what I find.

01-29-2003, 08:39 AM
I was hoping you could help me with some problems we are having upgrading MSDE to Service Pack 3. Our application installs MSDE 2000 via Installshield. When we try to upgrade MSDE using Microsoft's patch, it tells us the instance is not valid for upgrade. After checking the product code in the registry for MSDE, we noticed it does not correspond to one of the 16 msi product codes Microsoft recognizes. Do you have any reccomendations for how we can get around this problem and upgrade our customers?

Barclay Schell

01-30-2003, 01:37 PM
We have been looking at this for the past two days and are trying to come up with a workaround or hotfix. You cannot use any of those patches that comes with the MSDE SP3 redist. This is because you installed MSDE using the merge modules.

It's a real mess but let me try and explain. When you install MSDE using the merge modules (which is the microsoft recomended way) MSDE get's installed as part of YOUR application. That's why you won't see MSDE listed in Add/Remove Programs. Windows has no idea that it is an entity separate from your project. So when you run any of the SP3 patches, they fail because as far as they are concerned, MSDE is not installed so there is nothing to patch.

Microsoft says that if you installed MSDE using the merge modules you have to create your own patch (or something to that effect). They say that MSDE is now an integral part of your program, so the upgrade to the SP should be considered as an upgrade/update to your program.

So far the only way I have got it to work is to use a minor upgrade. Here is what I did:
1. Create a new project and add some files.
2. Use the MSDE 2000 wizard and add all the MSDE 2000 modules.
3. Build a CDROM image.
4. Do a "Save As" and save the Express project under a different name.
5. Copy the following MSDE 2000 SP3 merge modules (that come with the microsoft download) to the \Modules\i386 folder of Express.
Everything in the "1033" folder
6. Close Express, re-open it and open the copy of your project
7. Go to Redistributables view and verify that all the merge modules are found.
8. Build a CDROM image.
9. Browse to the release location.
10. Open Setup.ini and add the following to the "CmdLine" value


11. Open the original project's msi in ORCA.
12. In the main menu go to View->Summary Information.
13. Copy the value given to "Package Code". Close the msi without saving.
14. Open the copy's msi in ORCA.
15. In the main menu go to View->Summary Information.
16. Paste the the value you copied earlier in to the "Package Code" field.
17. Close the msi and save.
18. Run the original setup on a machine that does NOT have MSDE. Verify it's SP2.
19. Run the "copy" setup. => This should NOT ask for Customer Information and all that stuff. It should update the MSDE to SP3. Verify that it is updated and that it works.

Please let me know if this works for you. Also let me know if something is not clear.

NOTE: If you use an empty sa password for MSDE, between steps 16 and 17 you MUST do the following:
- Go to Property Table.
- Create a new property named "SqlBlankSaPwd" and set it's value to 1.