COMMAND

    MS SQL

SYSTEMS AFFECTED

    SQL Server 7.0 Service Packs 1 or 2

PROBLEM

    Following  is  based  on  a  Security Bulletin from the Microsoft.
    When  SQL  Server  7.0  Service  Packs  1  or 2 are installed on a
    machine that is configured  to perform authentication using  Mixed
    Mode, the  password for  the SQL  Server standard  security System
    Administrator (sa) account  is recorded in  plaintext in the  file
    \%TEMP%\sqlsp.log.   The  default  permissions  on  the file would
    allow  any  user  to  read  it  who  could  log  onto  the  server
    interactively.

    The password  is only  recorded if  Mixed Mode  is used,  and even
    then,  only  if   the  adminstrator  chose   to  use  SQL   Server
    Authentication when  installing the  service pack.   Microsoft has
    long recommended that  SQL servers be  configured to use  the more
    secure  Windows  NT  Authentication  Mode,  and customers who have
    followed  this  recommendation  would  not  be  affected.  Even on
    affected machines, the password  could not be compromised  if, per
    normal security recommendations,  normal users are  prevented from
    logging onto the machine interactively.

    Microsoft thanks  Gordon Newman  of PeopleSoft  for reporting this
    issue to them.

SOLUTION

    Patch availability:

        - Microsoft SQL Server 7.0 Service Pack 2: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21546

    Note that patch was reissued on 15th June due to bug.