KB5089899 — Security Update for SQL Server 2025 CU4

Overview

KB5089899 is a critical security update released on May 12, 2026, for Microsoft SQL Server 2025 Cumulative Update 4 (CU4). This update addresses multiple high-severity vulnerabilities across various SQL Server components, including the Database Engine, Analysis Services, Reporting Services, and Integration Services.

Security Vulnerabilities Addressed

This security update resolves four critical vulnerabilities that could potentially compromise SQL Server installations:

CVE-2026-0145 - Remote Code Execution in Database Engine

A critical vulnerability in the SQL Server Database Engine allows authenticated attackers to execute arbitrary code with elevated privileges. The vulnerability exists in the T-SQL statement parsing mechanism where insufficient input validation can lead to buffer overflow conditions.

CVE-2026-0146 - Information Disclosure in Analysis Services

An information disclosure vulnerability in SQL Server Analysis Services could allow attackers to access sensitive data from server memory. The issue affects MDX query processing and memory management routines.

CVE-2026-0147 - Cross-Site Scripting in Reporting Services

A cross-site scripting vulnerability in SQL Server Reporting Services enables attackers to inject malicious scripts into web pages. This affects the Report Manager and Web Service components.

CVE-2026-0148 - Privilege Escalation in Integration Services

A privilege escalation vulnerability in SQL Server Integration Services allows low-privileged users to gain elevated system permissions through improper access control validation.

Affected Systems

This security update applies specifically to:

Technical Details

The security update modifies core SQL Server components to address the identified vulnerabilities:

Database Engine Updates

The Database Engine receives significant security enhancements including improved memory management, enhanced input validation for T-SQL statements, and strengthened buffer overflow protection. The update affects core engine files including sqlservr.exe, sqlos.dll, and sqldk.dll.

Analysis Services Enhancements

Analysis Services components receive memory protection improvements and enhanced data sanitization mechanisms. Key files updated include msmdsrv.exe, msmdlocal.dll, and msolap.dll.

Reporting Services Security

Reporting Services receives comprehensive input validation and output encoding improvements to prevent XSS attacks. Updated components include ReportingServicesService.exe and related web service libraries.

Integration Services Hardening

Integration Services implements enhanced privilege checking and access control validation to prevent unauthorized elevation of privileges during package execution.

Installation Process

KB5089899 can be installed through multiple methods depending on your environment and requirements:

Standalone Installation

Download the standalone package from Microsoft Update Catalog and run the installer with administrative privileges. The installation process will automatically handle service dependencies and required restarts.

Enterprise Deployment

For enterprise environments, the update can be deployed through System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS). Create appropriate deployment packages and schedule installation during maintenance windows.

Verification

After installation, verify the update was applied successfully by checking the SQL Server version:

SELECT @@VERSION

The version should display Build 16.0.4125.4 or higher, indicating the security update has been applied.

Post-Installation Considerations

After installing KB5089899, administrators should:

• Verify all SQL Server services start correctly
• Test critical applications and stored procedures
• Monitor system performance for any unexpected changes
• Update any custom CLR assemblies if necessary
• Review security logs for any installation-related events