KB5068407

KB5068407 - Description of the security update for SQL Server 2022 GDR: November 11, 2025

Applies To

SQL Server 2022 on Windows (all editions)SQL Server 2022 on Linux (all editions)

Release Date:

11/11/2025

Version:

16.0.1160.1

• Summary

• Improvements and fixes included in this update

• How to obtain and install the update

• More information

• File information

• Information about protection and security

Summary

This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2025-59499 - Microsoft SQL Server Elevation of Privilege Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

• SQL Server - product version: 16.0.1160.1, file version: 2022.160.1160.1

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists. Download this Excel file now.

Note: Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

| Bug reference | Description | Fix area | Component | Platform | | --- | --- | --- | --- | --- | | 4653674 | This update resolves an issue in SQL Server Analysis Services in which Row-Level Security (RLS) filters could be skipped when combined with Object-Level Security (OLS) and Column-Level Security (CLS) in certain multi-role configurations. This issue occurs only under rare and contradictory setups (for example, a role that grants table-level read permission while it restricts all columns, combined with other similar restrictive roles). The fix ensures that RLS is consistently applied in all scenarios. | Analysis Services | Analysis Services | Windows | | 4711177 | This hotfix addresses a SQL injection vulnerability in an internal backup stored procedure that was inadvertently exposed to all users. The hotfix restricts unauthorized access and mitigates the risk by correctly sanitizing input parameters. | SQL Server Engine | Management Services | Linux, Windows |

How to obtain and install the update

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Note: The detection logic has been updated for this and future security releases that are posted to the Microsoft Update Catalog website. For more information, see Updates to the Microsoft Update detection logic for SQL Server servicing.

Method 3: Microsoft Download Center

The following file is available for download from the Microsoft Download Center:

Download icon

For more information about how to download Microsoft support files, see the following Knowledge Base article:

How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses by using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it.

Important: If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Note: This update is made available through the Microsoft Update Catalog for all servers that are running SQL Server, even if Reporting Services is not installed. Installing this security update is optional for computers that do not host Microsoft SQL Server Reporting Services.