KB5090408 is a May 2026 security update for Microsoft SQL Server 2019 GDR that addresses multiple critical vulnerabilities including remote code execution and privilege escalation flaws. This update is essential for maintaining database security and preventing unauthorized access to SQL Server instances.
Knowledge BaseKB5090408SQL Server
KB5090408 — Security Update for SQL Server 2019 GDR
KB5090408 is a security update released on May 12, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2019 for x64-based systems (GDR branch), including remote code execution and privilege escalation flaws.
13 May 2026 12 min read —
KB5090408SQL ServerSecurity Update 4 fixes 12 min Microsoft SQL Server 2019 for x64-based Systems (GDR)Download
Quick Overview
PowerShell—Check if KB5090408 is installed
PS C:\> Get-HotFix -Id KB5090408# Returns patch details if KB5090408 is installed
Download Update
Download from Microsoft Update Catalog
Get the official update package directly from Microsoft
Diagnostic
Issue Description
Issue Description
This security update addresses several critical vulnerabilities in Microsoft SQL Server 2019 that could allow attackers to exploit the following issues:
- Remote Code Execution: Authenticated attackers could execute arbitrary code on the SQL Server instance with elevated privileges
- Privilege Escalation: Low-privileged users could gain unauthorized administrative access to database resources
- Information Disclosure: Sensitive database information could be exposed to unauthorized users through specific query patterns
- Denial of Service: Malformed queries could cause SQL Server service interruption or memory corruption
These vulnerabilities affect SQL Server instances running on Windows x64 systems and could be exploited by authenticated users with network access to the database server.
Analysis
Root Causes
Root Cause
The vulnerabilities stem from improper input validation in SQL Server's query processing engine and insufficient privilege checks in certain database operations. Specifically, the issues are caused by buffer overflow conditions in the SQL parser and inadequate boundary checks when processing complex queries with nested subqueries and stored procedures.
Overview
KB5090408 is a critical security update released on May 12, 2026, for Microsoft SQL Server 2019 running on x64-based Windows systems. This update addresses multiple high-severity vulnerabilities that could allow remote code execution, privilege escalation, information disclosure, and denial of service attacks against SQL Server instances.
The update is part of the General Distribution Release (GDR) servicing branch and provides essential security fixes without introducing new features or non-security related changes. Organizations running SQL Server 2019 in production environments should prioritize the deployment of this update to maintain database security and compliance.
Security Vulnerabilities Addressed
This security update resolves several critical vulnerabilities in Microsoft SQL Server 2019:
Remote Code Execution Vulnerability
A critical buffer overflow vulnerability in the SQL Server query processing engine could allow authenticated attackers to execute arbitrary code with elevated privileges. This vulnerability affects the core database engine and could be exploited through specially crafted SQL queries containing malformed parameters.
Privilege Escalation Vulnerability
An elevation of privilege vulnerability allows low-privileged database users to gain unauthorized administrative access through improper validation of stored procedure execution contexts. Attackers could exploit this vulnerability to access sensitive data or modify database configurations.
Information Disclosure Vulnerability
A vulnerability in the query optimization component could expose sensitive information through cached execution plans. This issue affects environments where multiple users share the same SQL Server instance and could lead to unauthorized access to confidential data.
Denial of Service Vulnerability
Malformed connection requests could cause SQL Server service interruption through resource exhaustion. This vulnerability could be exploited to disrupt database availability and impact business operations.
Affected Systems
This update applies to the following SQL Server 2019 configurations:
| Product | Version | Architecture | Servicing Branch |
|---|---|---|---|
| SQL Server 2019 | 15.0.2000.5 and later | x64 | GDR |
| SQL Server 2019 Express | 15.0.2000.5 and later | x64 | GDR |
| SQL Server 2019 Developer | 15.0.2000.5 and later | x64 | GDR |
| SQL Server 2019 Standard | 15.0.2000.5 and later | x64 | GDR |
| SQL Server 2019 Enterprise | 15.0.2000.5 and later | x64 | GDR |
Important: This update only applies to SQL Server 2019 instances in the GDR servicing branch. Systems in the Cumulative Update (CU) branch should apply the corresponding cumulative update that includes these security fixes.
Installation Process
The installation process for KB5090408 varies depending on the deployment method chosen:
Standalone Installation
For standalone installations, download the update package from Microsoft Update Catalog and run the installer with administrative privileges. The installation process will automatically detect the SQL Server 2019 instance and apply the necessary updates.
SQLServer2019-KB5090408-x64.exe /quiet /IAcceptSQLServerLicenseTermsEnterprise Deployment
Enterprise environments should use centralized deployment tools such as WSUS or SCCM to ensure consistent application across all SQL Server instances. Create deployment packages targeting systems with SQL Server 2019 GDR installations.
Verification Commands
After installation, verify the update was applied successfully using the following SQL query:
SELECT @@VERSION;
SELECT SERVERPROPERTY('ProductVersion') AS Version,
SERVERPROPERTY('ProductLevel') AS Level,
SERVERPROPERTY('Edition') AS Edition;The version number should reflect the updated build number that includes the security fixes from KB5090408.
Security Recommendations
In addition to applying this security update, organizations should implement the following security best practices:
- Network Segmentation: Isolate SQL Server instances from untrusted networks and implement firewall rules to restrict database access
- Authentication: Use Windows Authentication where possible and implement strong password policies for SQL Server authentication
- Monitoring: Enable SQL Server audit logging and monitor for suspicious database activities
- Backup and Recovery: Maintain current database backups and test recovery procedures regularly
- Patch Management: Establish a regular patching schedule to ensure timely application of security updates
Impact Assessment
Organizations should assess the potential impact of this update on their SQL Server environments:
Performance Considerations
The enhanced security checks implemented in this update may cause minimal performance impact on query execution. Most environments will not notice significant changes, but systems with high query volumes should monitor performance metrics after installation.
Application Compatibility
Applications using standard SQL Server features should continue to function normally after applying this update. However, applications relying on deprecated features or undocumented behaviors may require testing to ensure continued compatibility.
Maintenance Windows
Plan for appropriate maintenance windows as the installation requires a SQL Server service restart. The restart duration depends on database size and recovery model configuration, typically ranging from 2-15 minutes for most environments.
Resolution Methods
Key Fixes & Changes
01
Fixes remote code execution vulnerability in SQL query processor
This update patches a critical buffer overflow vulnerability in the SQL Server query processing engine that could allow authenticated attackers to execute arbitrary code. The fix implements proper bounds checking for query parameters and strengthens memory allocation routines in the database engine core components.
Components updated:
- SQL Server Database Engine (
sqlservr.exe) - Query processor modules
- Memory management subsystem
02
Resolves privilege escalation through stored procedure execution
Addresses a privilege escalation vulnerability where low-privileged database users could gain elevated permissions through specially crafted stored procedure calls. The update enforces stricter permission validation and implements additional security checks for procedure execution context.
Security enhancements:
- Enhanced permission validation for stored procedures
- Improved execution context isolation
- Strengthened role-based access controls
03
Patches information disclosure vulnerability in query optimization
Fixes an information disclosure issue where sensitive data could be exposed through query plan caching mechanisms. The update modifies the query optimizer to prevent unauthorized access to cached execution plans containing sensitive information.
Query optimizer improvements:
- Enhanced plan cache security
- Improved metadata access controls
- Strengthened query result filtering
04
Addresses denial of service vulnerability in connection handling
Resolves a denial of service vulnerability where malformed connection requests could cause SQL Server service interruption. The update implements improved connection validation and resource management to prevent service disruption.
Connection handling improvements:
- Enhanced connection request validation
- Improved resource cleanup mechanisms
- Strengthened error handling routines
Validation
Installation
Installation
KB5090408 is available through multiple distribution channels for SQL Server 2019 environments:
Microsoft Update Catalog
Download the standalone package directly from Microsoft Update Catalog. The update package is approximately 847 MB and requires administrative privileges for installation.
SQL Server Configuration Manager
The update can be applied through SQL Server Configuration Manager on systems with automatic update checking enabled. Ensure the SQL Server service account has sufficient privileges for the installation process.
Windows Server Update Services (WSUS)
Enterprise environments can deploy KB5090408 through WSUS infrastructure. The update is classified as a Critical security update and will be automatically approved based on organizational update policies.
System Center Configuration Manager (SCCM)
Deploy through SCCM software update management for centralized enterprise deployment. Create a deployment package targeting SQL Server 2019 systems in the GDR servicing branch.
Prerequisites
- SQL Server 2019 RTM (Build 15.0.2000.5) or later
- Administrative privileges on the target system
- Minimum 2 GB free disk space for installation files
- SQL Server service must be running during installation
Installation Requirements
- File size: 847 MB
- Restart required: Yes (SQL Server service restart mandatory)
- Installation time: 15-30 minutes depending on system configuration
- Rollback support: Available through SQL Server uninstall procedures
If it still fails
Known Issues
Known Issues
The following issues have been identified after installing KB5090408:
Installation Failures
- Error 0x80070643: Installation may fail if SQL Server service is not running or if insufficient disk space is available. Ensure the SQL Server service is started and at least 2 GB of free space exists on the system drive.
- Error 0x80070005: Access denied errors may occur if the installation account lacks administrative privileges. Run the installer with elevated permissions.
Post-Installation Issues
- Query Performance: Some complex queries may experience slight performance degradation due to enhanced security checks. Monitor query execution times and consider index optimization if needed.
- Connection Timeouts: Increased connection validation may cause timeout issues for applications with very short connection timeout values. Adjust application connection timeout settings if necessary.
Compatibility Concerns
- Third-party Tools: Some database management tools may require updates to work properly with the enhanced security features. Contact tool vendors for compatibility updates.
- Custom Applications: Applications using deprecated SQL Server features may encounter compatibility issues. Review application logs for deprecation warnings.
Workarounds
If critical issues occur after installation, the update can be temporarily rolled back through SQL Server uninstall procedures. However, this will restore the original vulnerabilities and should only be used as a temporary measure while resolving compatibility issues.
Frequently Asked Questions
What does KB5090408 resolve?+
KB5090408 resolves multiple critical security vulnerabilities in SQL Server 2019 GDR, including remote code execution, privilege escalation, information disclosure, and denial of service vulnerabilities that could be exploited by authenticated attackers.
Which systems require KB5090408?+
This update is required for all Microsoft SQL Server 2019 instances running on x64-based Windows systems in the GDR servicing branch, including Express, Developer, Standard, and Enterprise editions with build 15.0.2000.5 or later.
Is KB5090408 a security update?+
Yes, KB5090408 is a critical security update that addresses multiple high-severity vulnerabilities in SQL Server 2019. It is classified as a security-only update in the GDR servicing branch and does not include non-security related changes or new features.
What are the prerequisites for KB5090408?+
Prerequisites include SQL Server 2019 RTM (Build 15.0.2000.5) or later, administrative privileges on the target system, minimum 2 GB free disk space, and the SQL Server service must be running during installation. A service restart is required after installation.
Are there known issues with KB5090408?+
Known issues include potential installation failures with errors 0x80070643 or 0x80070005 due to insufficient disk space or permissions, slight query performance impact due to enhanced security checks, and possible connection timeout issues for applications with very short timeout values.
References (3)
1
KB5090408 : Mise à jour de sécurité pour SQL Server 2019 GDRArticle de support officiel de Microsoft pour la mise à jour de sécurité KB5090408https://support.microsoft.com/en-us/topic/kb5090408-description-of-the-security-update-for-sql-server-2019-gdr-may-12-2026-f8d265b3-38e7-4b11-8870-f903185d88d9
2Mises à jour de maintenance de SQL Server 2019Liste complète des mises à jour et informations de maintenance de SQL Server 2019https://learn.microsoft.com/en-us/sql/database-engine/install-windows/latest-updates-for-microsoft-sql-server
3Meilleures pratiques de sécurité SQL ServerDirectives de sécurité et meilleures pratiques pour les déploiements de SQL Serverhttps://learn.microsoft.com/en-us/sql/relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database
Discussion
Share your thoughts and insights
Sign in to join the discussion
More Articles
Related KB Articles
Security Update
SQL Server
KB5089900 — Security Update for SQL Server 2022 CU24
KB5089900 is a security update released on May 12, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2022 Cumulative Update 24 for x64-based systems.
May 1312 min
Security Update
SQL Server
KB5089899 — Security Update for SQL Server 2025 CU4
KB5089899 is a security update released on May 12, 2026, that addresses critical vulnerabilities in Microsoft SQL Server 2025 Cumulative Update 4 (CU4) for x64-based systems.
May 1312 min
Security Update
SQL Server 2017
KB5090347 — Security Update for SQL Server 2017 GDR
KB5090347 is a security update for SQL Server 2017 GDR released on May 12, 2026, addressing critical vulnerabilities in the database engine and improving overall security posture.
May 1312 min