What are Extended Security Updates for SQL Server?

Applies to: SQL Server 2008 (10.0.x) SQL Server 2008 R2 (10.50.x) SQL Server 2012 (11.x)

This article provides information for using Azure Arc to receive Extended Security Updates (ESUs) for versions of SQL Server that are out of extended support.

The following table contains a list of the latest ESUs, if any.

Version KB article Date
SQL Server 2012 N/A None available
SQL Server 2008 R2 N/A None available
SQL Server 2008 N/A None available

Warning

Effective July 12, 2022, the SQL Registry portal has been retired. Please use the new Azure portal as described below to connect and/or register your SQL Server instances that qualify for Extended Security Updates (ESUs).

Tip

Customers on SQL Server 2008 and SQL Server 2008 R2 can migrate to Azure services if they wish to continue receiving Extended Security Updates, until July 12, 2023. See the Overview for more information.

For more information about other options, see End of support options.

Overview

Once SQL Server has reached the end of its support lifecycle, you can sign up for an Extended Security Update (ESU) subscription for your servers and remain protected for up to three years, until you're ready to upgrade to a newer version of SQL Server or migrate to Azure SQL.

You can receive Extended Security Updates in several ways:

  • Azure Arc. Purchased for your on-premises or hosted environment. You'll download updates when they're available. There are two ways to use Azure Arc:

    • Connected. Install the Azure Connected Machine agent along with the Azure extension for SQL Server, with direct connectivity to Azure. You'll benefit from the features that Azure Arc-enabled SQL Server provides.

    • Registered. Manually add your instance using a process similar to the deprecated SQL Server registry. The instance will be added in a disconnected state. See below for required prerequisites.

  • Azure services. Free and enabled by default when migrating on-premises servers to one of the following Azure services:

Microsoft recommends applying ESU patches as soon as they're available to keep your SQL Server instance protected. For detailed information about ESUs, see the ESU FAQ page.

Extended support dates

For the versions in the table below, consider using Extended Security Updates described in this article, or other migration options. For more information, see End of support options.

SQL Server version Extended Support end date
SQL Server 2012 July 12, 2022
SQL Server 2008 R2 July 10, 2019
SQL Server 2008 July 10, 2019

What are Extended Security Updates

Extended Security Updates (ESUs) include security updates for customers who have purchased an Extended Support Update subscription, and are available for SQL Server 2012 (11.x).

Tip

Customers on SQL Server 2008 and SQL Server 2008 R2 can migrate to Azure services if they wish to continue receiving Extended Security Updates, until July 12, 2023. See the Overview for more information.

ESUs are made available if needed, once a security vulnerability is discovered and is rated as Critical by the Microsoft Security Response Center (MSRC). Therefore, there's no regular release cadence for SQL Server ESUs.

ESUs don't include:

  • New features
  • Functional improvements
  • Customer-requested fixes

Support

ESUs don't include technical support, but you can use an active support contract such as Software Assurance or Premier/Unified Support to get technical support on workloads covered by ESUs if you choose to stay on-premises. Alternatively, if you're hosting on Azure, you can use an Azure Support plan to get technical support.

Microsoft can't provide technical support for SQL Server instances (both on-premises, and in hosting environments) that aren't covered with an ESU subscription.

ESU availability and deployment

ESUs are available to customers running their workload in Azure, on-premises, or hosted environments.

Azure workloads

If you migrate your workloads to an Azure service (see the Overview for more information), you'll have access to ESUs for SQL Server 2012 (11.x) for up to three years after the End of Support, at no additional charges above the cost of running the Azure service. You don't need Software Assurance to receive ESUs in Azure.

Azure services running SQL Server will receive ESUs automatically through existing SQL Server update channels or Windows Update. You don't need to install the SQL Server IaaS Agent extension to download ESU patches on an Azure SQL Virtual Machine.

On-premises or hosted environments

If you have Software Assurance, you can purchase an Extended Security Update (ESU) subscription for up to three years after the End of Support date, under an Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), or an Enrollment for Education Solutions (EES). You can purchase ESUs only for the servers you need to cover. ESUs can be purchased directly from Microsoft or a Microsoft licensing partner.

Customers covered by ESU agreements must follow these steps to download and deploy an ESU patch. The process is the same for Azure Stack and Azure Virtual Machines that aren't configured to receive automatic updates:

  • Register eligible instances.
  • Once registered, whenever ESU patches are released, a download link will be available in the Azure portal to download the package.
  • The downloaded package can be deployed to your on-premises or hosted environments manually, or through the update orchestration solution you use in your organization, such as Microsoft Endpoint Configuration Manager.

For more information, see the Extended Security Updates frequently asked questions.

Register disconnected SQL Server instances for ESUs

This example shows you how to manually add your SQL Server instances in a disconnected state to Azure Arc. If you would prefer to add your server as an Azure Arc-enabled server running the Connected Machine agent, see Connect hybrid machines with Azure Arc-enabled servers instead.

Prerequisites

  1. If you don't already have an Azure subscription, you can create an account using one of the following methods:

  2. The user creating disconnected Arc-enabled SQL Server resources must have the following permissions:

    • Microsoft.AzureArcData/sqlServerInstances/read
    • Microsoft.AzureArcData/sqlServerInstances/write

    Users can be assigned to the Azure Connected SQL Server Onboarding role to get those specific permissions, or they can be assigned to built-in roles such as Contributor or Owner that have these permissions. See Assign Azure roles using the Azure portal for more information.

  3. Register the Microsoft.AzureArcData resource provider in your Azure subscription:

    • Sign in to the Azure portal.

    • Navigate to your subscription, and select Resource providers.

    • If the Microsoft.AzureArcData resource provider isn't listed, you can add it to your subscription using the Register option.

  4. If you are using Azure policies that only allow the creation of specific resource types, you will need to allow the Microsoft.AzureArcData/sqlServerInstances resource type. If it isn't allowed, the SQLServerInstances_Update operation will fail with a 'deny' Policy action log entry in the activity log of the subscription.

You can either register a single SQL Server instance, or upload a CSV file to register multiple SQL Server instances in bulk.

Single SQL Server instance

  1. Sign into the Azure portal.

  2. Navigate to Azure Arc and select Infrastructure > SQL Servers.

  3. To register a disconnected machine, select Add from the menu at the top of the screen.

    Screenshot of an empty list of SQL Servers list on the Azure Arc portal.

  4. Select Register Servers to add a disconnected SQL Server instance.

    Screenshot of the two options for adding connected or registered servers.

  5. On the next screen, you can choose to add a single or multiple SQL Server instances. The option for Single SQL Instance is selected by default.

    Screenshot of the Add SQL Registrations options.

  6. Choose the Subscription and Resource group for your registered SQL Server instance.

  7. Provide the required information as is detailed in this table, and then select Next:

    Value Description Additional information
    Instance Name Enter the output of command SELECT @@SERVERNAME, such as MyServer\Instance01. If you have a named instance, you must replace the backslash (\) with a hyphen (-). For example, MyServer\Instance01 will become MyServer-Instance01.
    SQL Server Version Select your version from the drop-down.
    Edition Select the applicable edition from the drop-down: Datacenter, Developer (free to deploy if purchased ESUs), Enterprise, Standard, Web, Workgroup.
    Cores Enter the number of cores for this instance
    Host Type Select the applicable host type from the drop-down: Virtual machine (on-premises), Physical Server (on-premises), Azure Virtual Machine, Amazon EC2, Google Compute Engine, Other.
  8. You must confirm that you have the rights to receive Extended Security Updates, using the checkbox provided.

Now you can continue to the Confirmation section.

Multiple SQL Server instances in bulk

Multiple SQL Server instances can be registered in bulk by uploading a .CSV file. Once your .CSV file has been formatted correctly, you can follow these steps to bulk register your SQL Server instances with Azure Arc:

  1. Sign into the Azure portal.

  2. Navigate to Azure Arc and select Infrastructure > SQL Servers.

  3. To register a disconnected machine, select Add from the menu at the top of the screen.

    Screenshot of an empty list of SQL Servers list on the Azure Arc portal.

  4. Select Register Servers to add a disconnected SQL Server instance.

    Screenshot of the two options for adding connected or registered servers.

  5. On this screen, you can choose to add a single or multiple SQL Server instances. Select the option for Multiple SQL Instances.

    Screenshot of the Multiple SQL Instances option.

  6. Select the Browse icon to upload the CSV file containing multiple disconnected SQL Server instances.

  7. You must confirm that you have the rights to receive Extended Security Updates, using the checkbox provided.

Now you can continue to the Confirmation section.

Confirmation

  1. We recommend using the Year1OrderID tag to link your SQL Server instances to your ESU invoice number for easy reference. The Year1EntitlementConfirmed tag is automatically filled in.

    Note

    If you use Azure services such as Azure Dedicated Host, Azure VMware Solution, Azure Nutanix Solution, and Azure Stack (Hub, Edge, and HCI), you can set the ESU invoice number to InvoiceNotNeeded.

    Screenshot of confirmation tags.

  2. Before you can add your SQL Server instances, you must agree to the terms of use and privacy policy.

    Screenshot of the terms of use.

  3. Once you've added your SQL Server instances, you'll see them in the portal after a few minutes. Because they were added manually, they'll always show in a disconnected state, with the description Registered.

    Screenshot of two registered SQL Server instances on the Azure Arc portal.

Customers can use the Purchase Order Number under Invoice Summary in their Microsoft invoice (as shown in the screenshot below) to link the ESU purchase with the registration of SQL Server instances.

Sample invoice with Purchase Order Number highlighted.

Follow these steps to link an ESU invoice to your Azure Arc SQL Server instances to get access to extended updates. This example includes both Connected and Registered servers.

  1. Sign into the Azure portal.

  2. Navigate to Azure Arc and select Infrastructure > SQL Servers.

  3. Use the checkboxes next to each server to select which machines you would like to link, and then select Link ESU invoice.

    Screenshot of all SQL Server instances on the Azure Arc section.

  4. Fill in the ESU invoice number in the Invoice ID section, and then select Link invoice.

    Screenshot of the invoice ID on the Link ESU invoice page.

  5. The servers you linked to the ESU invoice now show a valid ESU expiration date.

    Screenshot of SQL Server instances with a valid ESU expiration value.

Formatting requirements for CSV file

  • Values are comma-separated

  • Values aren't single or double-quoted

  • Values can include letters, numbers, hyphens (-), and underscores (_). No other special characters can be used. If you have a named instance, you must replace the backslash (\) with a hyphen (-). For example, MyServer\Instance01 will become MyServer-Instance01.

  • Column names are case-sensitive and must be named as follows:

    • name
    • version
    • edition
    • cores
    • hostType

Example CSV file

The CSV file should look like this:

name,version,edition,cores,hostType
Server1-SQL2012,SQL Server 2012,Enterprise,12,Other Physical Server
Server2-SQL2012,SQL Server 2012,Enterprise,24,Other Physical Server
Server3-SQL2012,SQL Server 2012,Enterprise,12,Azure Virtual Machine
Server4-SQL2012,SQL Server 2012,Standard,8,Azure VMWare Solutions

Download ESUs

Once your SQL Server instances have been registered with Azure Arc, you can download the Extended Security Update packages using the link found in the Azure portal, if and when they're made available.

To download ESUs, follow these steps:

  1. Sign into the Azure portal.

  2. Navigate to Azure Arc and select Infrastructure > SQL Servers.

  3. Select a server from the list.

    Screenshot of a list of servers, with one server highlighted.

  4. Download security updates from here, if and when they're made available.

    Screenshot of available security updates.

Supported regions

The following list shows the supported regions for this service:

  • Australia East
  • Canada Central
  • Central US
  • East Asia
  • East US
  • East US 2
  • France Central
  • Japan East
  • Korea Central
  • North Central US
  • North Europe
  • South Central US
  • Southeast Asia
  • UK South
  • West Europe
  • West US
  • West US 2
  • West US 3

Government regions are not supported. For more information, see Can customers get free Extended Security Updates on Azure Government regions?

Frequently asked questions

General frequently asked questions about Extended Security updates can be found at the Extended security updates FAQ. SQL Server-specific frequently asked questions are listed below.

When is the End of Support for SQL Server 2012?

The End of Support date for SQL Server 2012 (11.x) was July 12, 2022.

What does End of Support mean?

Microsoft Lifecycle Policy offers 10 years of support (five years for Mainstream Support and five years for Extended Support) for Business and Developer products (such as SQL Server and Windows Server). After the end of the Extended Support period, there will be no patches or security updates, which may cause security and compliance issues, and expose your applications and business to serious security risks.

What editions of SQL Server are eligible for Extended Security Updates?

Enterprise, Datacenter, Standard, Web, and Workgroup editions of SQL Server 2012 (11.x) are eligible for ESUs for both x86 and x64 versions.

Tip

Customers on SQL Server 2008 and SQL Server 2008 R2 can migrate to Azure services if they wish to continue receiving Extended Security Updates, until July 12, 2023. See the Overview for more information.

When will the Extended Security Updates offer be available?

ESUs are now available for purchase and can be ordered from Microsoft or a Microsoft licensing partner. The delivery of ESUs will begin after the End of Support dates, if and when available. Customers interested in migrating to Azure can do so immediately.

What do Extended Security Updates include?

ESUs include provision of Security Updates and Bulletins rated critical by the Microsoft Security Response Center (MSRC), for a maximum of three years after the end of extended support:

  • For SQL Server 2012 (11.x), ESUs will be available until July 8, 2025.

  • For SQL Server 2008 and SQL Server 2008 R2, ESUs will be available until July 12, 2023 for customers who have migrated their workloads to Azure services. See the Overview for more information.

ESU will be distributed if and when available. ESUs don't include technical support, but you may use other Microsoft support plans to get assistance on your SQL Server 2012 (11.x) questions on workloads covered by ESUs. ESUs don't include new features, functional improvements, nor customer-requested fixes. However, Microsoft may include non-security fixes as deemed necessary.

Why do Extended Security Updates only offer "critical" updates?

For End of Support events in the past, SQL Server provided only Critical Security Updates, which meets the compliance criteria of our enterprise customers. SQL Server doesn't ship a general monthly security update. Microsoft only provides on-demand SQL Server security updates (GDRs) for MSRC bulletins where SQL Server is identified as an affected product. If there are situations where new SQL Server important updates won't be provided and it's deemed critical by the customer but not by MSRC, we'll work with the customer on a case-by-case basis to suggest appropriate mitigation.

What Licensing programs are eligible for Extended Security Updates?

Software Assurance customers can purchase ESUs on-premises under an Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), or an Enrollment for Education Solutions (EES). Software Assurance doesn't need to be on the same enrollment.

Do SQL Server customers need to be running the most current Service Pack to benefit from Extended Security Updates?

Yes, customers need to run SQL Server with the latest Service Pack to apply ESUs. Microsoft will only produce updates that can be applied on the latest Service Pack.

What are the options for SQL Server customers without Software Assurance?

For customers who don't have Software Assurance, the alternative option to get access to ESUs is to migrate to Azure. For variable workloads, we recommend that customers migrate on Azure via Pay-As-You-Go, which allows for scaling up or down at any time. For predictable workloads, customers should migrate to Azure via Server Subscription and Reserved Instances.

Does this offer apply to older versions of SQL Server?

No. For versions before SQL Server 2012 (11.x) we recommend upgrading to the latest supported versions, but customers can upgrade to SQL Server 2012 (11.x) to take advantage of this offer.

Tip

Customers on SQL Server 2008 and SQL Server 2008 R2 can migrate to Azure services if they wish to continue receiving Extended Security Updates, until July 12, 2023. See the Overview for more information.

Can I deploy a brand new SQL Server 2012 instance on Azure and still get Extended Security Updates?

Yes, customers can start a new SQL Server 2012 (11.x) instance on an Azure SQL Server Virtual Machine and have access to ESUs.

Can I get technical support on-premises for SQL Server after the End of Support date, without purchasing Extended Security Updates?

No. If a customer has SQL Server 2012 (11.x) and chooses to remain on-premises during a migration without ESUs, they can't log a support ticket even if they have a support plan. If they migrate to Azure, however, they can get support using their Azure Support Plan.

If a customer wants to bring their own SQL Server license (BYOL), are they required to have Software Assurance coverage?

Yes, customers need to have Software Assurance to take advantage of the BYOL program for SQL Server on Azure Virtual Machines as part of the License Mobility program. For customers without Software Assurance, we recommend customers move to Azure SQL Managed Instance for their SQL Server environments.

Customers can also migrate to pay-as-you-go Azure Virtual Machines. Software Assurance customers who license SQL by core also have the option of migrating to Azure using the Azure Hybrid Benefit (AHB).

Azure SQL Managed Instance is a service in Azure providing nearly 100% compatibility with SQL Server on-premises. SQL Managed Instance provides built-in high availability and disaster recovery capabilities plus intelligent performance features and the ability to scale on the fly. SQL Managed Instance also provides a version-less experience that takes away the need for manual security patching and upgrades. For more information on the BYOL program, see Azure SQL Managed Instance pricing.

What options do customers have to run SQL Server in Azure?

Customers can move legacy SQL Server environments to Azure SQL Managed Instance, a fully managed data platform service (PaaS) that offers a "version-free" option to eliminate concerns with End of Support dates, or to Azure Virtual Machines to have access to Security Updates. The migrated databases will retain their compatibility with the legacy system. For more information, see Compatibility Certification.

ESUs are available for SQL Server 2012 (11.x) in Azure Virtual Machines after the End of Support date of July 12, 2022, for the next three years.

Tip

Customers on SQL Server 2008 and SQL Server 2008 R2 can migrate to Azure services if they wish to continue receiving Extended Security Updates, until July 12, 2023. See the Overview for more information.

For customers looking to upgrade from SQL Server 2012 (11.x), all subsequent versions of SQL Server will be supported. For SQL Server 2014 (12.x) and SQL Server 2016 (13.x), customers are required to be on the latest supported Service Pack. Starting with SQL Server 2017 (14.x), customers are advised to be on the latest Cumulative Update. Service Packs won't be available starting with SQL Server 2017 (14.x), only Cumulative Updates and General Distribution Releases (GDRs).

Azure SQL Managed Instance is an instance-scoped deployment option in Azure SQL that provides the broadest SQL Server engine compatibility and native virtual network (VNET) support, so you can migrate SQL Server databases to SQL Managed Instance without changing apps. It combines the rich SQL Server surface area with the operational and financial benefits of an intelligent, fully managed service. You can use the new Azure Database Migration Service to move SQL Server 2012 (11.x) to Azure SQL Managed Instance with few or no application code changes.

Can customers use the Azure Hybrid Benefit for SQL Server 2012?

Yes, customers with active Software Assurance or equivalent Server Subscriptions can use the Azure Hybrid Benefit using existing on-premises license investments for discounted pricing on SQL Server running on Azure SQL and Azure VMs.

Can customers get free Extended Security Updates on Azure Government regions?

Not at this stage. Refer to the Supported regions for more information.

Government customers that are unable to connect or register their SQL Server instances in one of the supported Azure regions, can open a ticket with Microsoft Support for further instructions. Review the support options for businesses for more information.

Can customers get free Extended Security Updates on Azure Stack?

Yes, customers can migrate SQL Server to Azure Stack and receive ESUs for no extra cost after the End of Support dates.

For customers with a SQL Server cluster using shared storage, what is the guidance to migrating to Azure?

Azure doesn't currently support shared storage clustering. For advice on how to configure a highly available SQL Server instance on Azure, refer to the SQL Server High Availability guide.

Can customers use Extended Security Updates for SQL Server with a third-party hosting provider?

Customers can't use ESUs if they move their SQL Server 2012 (11.x) environment to a PaaS implementation on other cloud providers. If you want to move to virtual machines (IaaS), you can use License Mobility for SQL Server via Software Assurance to make the move, and purchase ESUs from Microsoft to manually apply patches to the SQL Server 2012 (11.x) instances running in a VM (IaaS) on an authorized SPLA hosting provider's server. However, free updates in Azure are the more attractive offer.

What are the best practices for enhancing performance of SQL Server in Azure virtual machines?

For advice on how to optimize performance for SQL Server on Azure virtual machines, see the SQL Server optimization guide.

How do US Federal Government customers register and obtain SQL Server 2012 ESUs if they are running in Azure Government/O365 GCCH/O365 DOD?

Azure Government regions aren't currently supported in the Azure portal. Until then, SQL Server 2012 (11.x) customers in Government regions interested in Extended Security Updates (ESU) will have to create an Azure subscription in one of the supported regions and register their SQL Server instances there.

Registering provides access to offers via the Azure portal, including ESUs, for SQL Server instances that can't be directly connected to Azure. You can register your instance in a disconnected state using the following metadata for each instance: name,version,edition,cores,hostType. See the formatting requirements for more information.

If there is a critical security patch for SQL Server 2012 (11.x), customers will need to download the patch from the Azure portal following these step-by-step instructions, and then apply the patch to their SQL Server instances.

Government customers that are unable to connect or register their SQL Server instances in one of the supported Azure regions, can open a ticket with Microsoft Support for further instructions. Review the support options for businesses for more information.

See also