What are Extended Security Updates for SQL Server?

The following table contains a list of the latest ESUs, if any.

Version	KB article	Date
SQL Server 2012	KB 5021123	14 February 2023

Extended Security Updates (ESUs) are available for SQL Server 2012 (11.x).

This article provides information how to receive Extended Security Updates (ESUs) for versions of SQL Server that are out of extended support.

ESUs are made available if needed, once a security vulnerability is discovered and is rated as Critical by the Microsoft Security Response Center (MSRC). Therefore, there's no regular release cadence for SQL Server ESUs.

ESUs don't include:

• New features
• Functional improvements
• Customer-requested fixes

Applies to: SQL Server 2012 (11.x)

For information about ESU pricing, see Plan your Windows Server 2012/2012 R2 and SQL Server 2012 end-of-support.

For more information about other options, see End of support options.

You can also review the Frequently asked questions.

Overview

Once SQL Server has reached the end of its support lifecycle, you can sign up for an Extended Security Update (ESU) subscription for your servers and remain protected for up to three years, until you're ready to upgrade to a newer version of SQL Server or migrate to Azure SQL.

The method of receiving Extended Security Updates depends on where your SQL Server is running.

• SQL Server on Azure Virtual Machines. ESUs are free and enabled by default.

• SQL Server on-premises or a hosted environment. ESUs are free and enabled by default on the following Azure services:

  • Azure Stack HCI

  • Azure Stack Hub

• SQL Server on-premises or a hosted environment, and connected to Azure Arc. You can use Extended Security Updates enabled by Azure Arc to enable ESU as a monthly subscription. The updates are automatically installed when they're available. You also benefit from the features that Azure Arc-enabled SQL Server provides. If you migrate your SQL Server to Azure or upgrade the subscription, charges then automatically stop. You can cancel the ESU subscription manually at any time.

• SQL Server on-premises or in a hosted environment, and not connected to Azure Arc. You can purchase the ESU SKU through the Volume Licensing Service Center (VLSC), and manually register your SQL Server instances on the Azure portal to receive the patches. For more information, see Register disconnected SQL Server instances for ESUs later in this article.

  Note

  Connecting or registering instances is free of charge. Both connected and registered instances do not incur additional charges when downloading ESUs, which are delivered through the Azure portal.

Microsoft recommends applying ESU patches as soon as they're available to keep your SQL Server instance protected. For detailed information about ESUs, see the ESU FAQ page.

Support

ESUs don't include technical support, but you can use an active support contract, such as Software Assurance, or Premier/Unified Support, to get technical support on workloads covered by ESUs if you choose to stay on-premises. Alternatively, if you're hosting on Azure, you can use an Azure Support plan to get technical support.

Microsoft can't provide technical support for SQL Server instances (both on-premises, and in hosting environments) that aren't covered with an ESU subscription.

ESU availability and deployment

ESUs are available to customers running their workload in Azure, on-premises, or hosted environments.

Azure workloads

If you migrate your workloads to an Azure service (for more information, see the Overview section), you'll have access to ESUs for SQL Server 2012 (11.x) for up to three years after the End of Support, at no additional charge above the cost of running the Azure service. You don't need Software Assurance to receive ESUs in Azure.

Azure services running SQL Server receive ESUs automatically through existing SQL Server update channels or Windows Update. You don't need to install the SQL Server IaaS Agent extension to download ESU patches on an Azure SQL Virtual Machine.

Note

For SQL Server workloads deployed to Nutanix Cloud Clusters, which operate on Azure bare-metal infrastructure, or for Azure Stack, you must follow the same process as on-premises or hosted environments not connected to Azure Arc.

On-premises or hosted environments connected to Azure Arc

If you have Software Assurance, you can use Extended Security Updates enabled by Azure Arc, to subscribe to ESUs for up to three years after the End of Support date, under one of the following agreements:

• Enterprise Agreement (EA)
• Enterprise Agreement Subscription (EAS)
• Server and Cloud Enrollment (SCE)
• Enrollment for Education Solutions (EES)

You are billed through your Azure subscription only for the servers that you enabled for ESUs, and only if they run an eligible version of SQL Server. See instructions on how to subscribe to Extended Security Updates enabled by Azure Arc later in this article.

On-premises or hosted environments not connected to Azure Arc

If you have Software Assurance, you can purchase an Extended Security Update (ESU) plan for up to three years after the End of Support date, under one of the following agreements:

• Enterprise Agreement (EA)
• Enterprise Agreement Subscription (EAS)
• Server and Cloud Enrollment (SCE)
• Enrollment for Education Solutions (EES)

You can purchase ESUs only for the servers you need to cover. ESUs can be purchased directly from Microsoft or a Microsoft licensing partner.

Customers covered by ESU agreements must follow these steps to download and deploy an ESU patch:

• Register disconnected SQL Server instances for ESUs.
• Once registered, whenever ESU patches are released, a download link is provided in the Azure portal to download the package.
• The downloaded package can be deployed to your on-premises or hosted environments manually, or through the update orchestration solution you use in your organization, such as Microsoft Endpoint Configuration Manager.

For more information, see the Extended Security Updates frequently asked questions.

Subscribe to Extended Security Updates enabled by Azure Arc

If your on-premises or hosted environment SQL Server instances are connected to Azure Arc, you can enable ESUs as a subscription, which provides you with the flexibility to cancel at any time without having to separately purchase an ESU SKU. The ESU subscription enables automated deployment of the patches as they are released.

You can subscribe to Extended Security Updates by modifying SQL Server configuration. See Manage SQL Server Configuration[Manage SQL Server Configuration].

Azure portal

The following steps subscribe to ESUs using the Azure portal:

1. When you connect your SQL Server instance to Azure Arc, you can see the ESU status option in the Overview pane. The default for all new instances is N/A.

   

2. Select N/A, and navigate to the SQL Server Configuration pane. In the License Type section, select License with Software Assurance.

   

3. Select Subscribe to Extended Security Updates, and select Save.

   

Note

To subscribe to Extended Security Updates, you must have License type set to Pay-as-you-go or License with Software assurance. Otherwise, the Extended Security Updates option will be disabled.

Azure PowerShell

The following command enables the ESU subscription using Azure PowerShell. Replace the following values for your own environment:

• <resource_group>
• <machine_name>
• <azure_region>

# Updated settings object
$Settings = @{ SqlManagement = @{ IsEnabled = $true }; enableSecurityUpdates = $true }
New-AzConnectedMachineExtension -Name "WindowsAgent.SqlServer" -ResourceGroupName { <resource_group> } -MachineName { <machine_name> } -Location { <azure_region> } -Publisher "Microsoft.AzureData" -Settings $Settings -ExtensionType "WindowsAgent.SqlServer"

Warning

The update command overwrites all settings. If your extension settings have a list of excluded SQL Server instances, you must specify the full exclusion list with the update command.

If you have multiple SQL Server instances eligible for ESUs, you can subscribe in bulk using the Modify License Type PowerShell script, which allows you to configure the ESU setting for one of:

• all Azure Arc-enabled machines a specific resource group,
• an Azure subscription, or
• all Azure subscriptions your Azure account has access to.

The script preserves all the existing settings. It is published as an open source SQL Server sample and includes step-by-step instructions.

Azure CLI

The following command enables the ESU subscription using Azure CLI. Replace the following values for your own environment:

• <machine_name>
• <resource_group>

az connectedmachine extension update --machine-name "<machine_name>" -g "<resource_group>" --name "WindowsAgent.SqlServer" --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{ enableSecurityUpdates=$true, "SqlManagement": {"IsEnabled":true} }'

Warning

The update command overwrites all settings. If your extension settings have a list of excluded SQL Server instances, you must specify the full exclusion list with the update command.

Important

If you disconnect your SQL Server instance from Azure Arc, the ESU charges stop, and you won't have access to the new ESUs. If you haven't manually canceled your ESU subscription using Azure portal or API, the access to ESUs are immediately restored once you reconnect your SQL Server instance to Azure Arc, and the ESU charges resume. These charges include the time of disconnection. For more information about what happens when you disconnect your SQL Server instances, see Frequently asked questions.

Cancel Extended Security Updates enabled by Azure Arc

You can cancel Extended Security Updates enabled by Azure Arc at any time using the Azure portal, Azure PowerShell, or Azure CLI. The cancellation immediately stops the ESU charges.

Azure portal

The following steps cancel the ESU subscription using the Azure portal:

1. Navigate to your connected SQL Server instance. The ESU status option in the Overview pane shows the value Enabled.

2. Select Enabled, and navigate to the SQL Server Configuration pane.

3. In the Extended Security Updates section, select Unsubscribe from to Extended Security Updates, then select Save.

Azure PowerShell

The following command cancels the ESU subscription using Azure PowerShell. Replace the following values for your own environment:

• <resource_group>
• <machine_name>
• <azure_region>

# Updated settings object
$Settings = @{ SqlManagement = @{ IsEnabled = $true }; enableSecurityUpdates = $false }
New-AzConnectedMachineExtension -Name "WindowsAgent.SqlServer" -ResourceGroupName { <resource_group> } -MachineName { <machine_name> } -Location { <azure_region> } -Publisher "Microsoft.AzureData" -Settings $Settings -ExtensionType "WindowsAgent.SqlServer"

Warning

The update command overwrites all settings. If your extension settings have a list of excluded SQL Server instances, you must specify the full exclusion list with the update command.

If you have multiple SQL Server instances eligible for ESUs, you can cancel in bulk using the Modify License Type PowerShell script, which allows you to configure the ESU setting for one of:

• all Azure Arc-enabled machines a specific resource group,
• an Azure subscription, or
• all Azure subscriptions your Azure account has access to.

The script preserves all the existing settings. It is published as an open source SQL Server sample and includes step-by-step instructions.

Azure CLI

The following command cancels the ESU subscription using Azure CLI. Replace the following values for your own environment:

• <machine_name>
• <resource_group>

az connectedmachine extension update --machine-name "<machine_name>" -g "<resource_group>" --name "WindowsAgent.SqlServer" --type "WindowsAgent.SqlServer" --publisher "Microsoft.AzureData" --settings '{ enableSecurityUpdates=$false, "SqlManagement": {"IsEnabled":true} }'

Warning

The update command overwrites all settings. If your extension settings have a list of excluded SQL Server instances, you must specify the full exclusion list with the update command.

Important

Don't cancel Extended Security Updates enabled by Azure Arc before or after migrating to Azure. When you migrate your on-premises SQL Server instances to SQL Server on Azure Virtual Machines or Azure VMware Solutions, the ESU charges will stop automatically, but you will continue to have full access to the Extended Security Updates. For more information, see Extended Security Updates: frequently asked questions.

Register Extended Security Updates purchased through volume licensing

If you purchased an ESU product through volume licensing (VL), you must register it to enable access to previous or future Extended Security Updates. If you purchased the ESU product for the SQL Server instances that are not connected to Azure Arc, you must first register these servers on the Azure portal. If you purchased the ESU product for the Arc-enabled SQL Server instances, you don't need to register these servers as they are already connected to Azure Arc. To finalize the registration of the ESU VL product, you must link the ESU invoice.

Register disconnected SQL Server instances on Azure portal

If your on-premises or hosted environment SQL Server instances can't be connected to Azure Arc, you can manually register your SQL Server instances in the Azure portal to enable access to the ESUs. If you prefer to take advantage of the flexibility of Extended Security Updates enabled by Azure Arc, connect your server to Azure Arc. To connect, follow the steps in Automatically connect your SQL Server to Azure Arc.

The following example shows how to manually register your SQL Server instances in a disconnected state, in the Azure portal.

Prerequisites

1. If you don't already have an Azure subscription, you can create an account using one of the following methods:

   • Create a Microsoft Customer Agreement subscription
   • Create an Enterprise Agreement subscription
   • Create an Azure account with pay-as-you-go pricing
   • Create a free Azure account

2. The user creating disconnected Arc-enabled SQL Server resources must have the following permissions:

   • Microsoft.AzureArcData/sqlServerInstances/read
   • Microsoft.AzureArcData/sqlServerInstances/write

   Users can be assigned to the Azure Connected SQL Server Onboarding role to get those specific permissions, or they can be assigned to built-in roles such as Contributor or Owner that have these permissions. For more information, see Assign Azure roles using the Azure portal.

3. Register the Microsoft.AzureArcData resource provider in your Azure subscription:

   • Sign in to the Azure portal.

   • Navigate to your subscription, and select Resource providers.

   • If the Microsoft.AzureArcData resource provider isn't listed, you can add it to your subscription using the Register option.

4. If you use Azure policies that only allow the creation of specific resource types, you need to allow the Microsoft.AzureArcData/sqlServerInstances resource type. If it isn't allowed, the SQLServerInstances_Update operation fails with a 'deny' Policy action log entry in the activity log of the subscription.

You can either register a single SQL Server instance, or upload a CSV file to register multiple SQL Server instances in bulk.

Single SQL Server instance

1. Sign into the Azure portal.

2. Navigate to Azure Arc and select Infrastructure > SQL Servers.

3. To register a disconnected machine, select Add from the menu at the top of the screen.

   

4. Select Register Servers to add a disconnected SQL Server instance.

   

5. On the next screen, you can choose to add a single or multiple SQL Server instances. The option for Single SQL Instance is selected by default.

   

6. Choose the Subscription and Resource group for your registered SQL Server instance.

7. Provide the required information as is detailed in this table, and then select Next:

   Value	Description	Additional information
   Instance Name	Enter the output of command SELECT @@SERVERNAME, such as MyServer\Instance01.	If you have a named instance, you must replace the backslash (\) with a hyphen (-). For example, MyServer\Instance01 becomes MyServer-Instance01.
   SQL Server Version	Select your version from the dropdown list.
   Edition	Select the applicable edition from the dropdown list: Datacenter, Developer (free to deploy if purchased ESUs), Enterprise, Standard, Web, Workgroup.
   Cores	Enter the number of cores for this instance
   Host Type	Select the applicable host type from the dropdown list: Virtual machine (on-premises), Physical Server (on-premises), Azure Virtual Machine, Amazon EC2, Google Compute Engine, Other.

8. You must confirm that you have the rights to receive Extended Security Updates, using the checkbox provided. The ESU checkbox is only visible when you select SQL Server 2012 (11.x).

Now you can continue to the Confirmation section.

Multiple SQL Server instances in bulk

Multiple SQL Server instances can be registered in bulk by uploading a .CSV file. Once your .CSV file has been formatted correctly, you can follow these steps to bulk register your SQL Server instances with Azure Arc:

1. Sign into the Azure portal.

2. Navigate to Azure Arc and select Infrastructure > SQL Servers.

3. To register a disconnected machine, select Add from the menu at the top of the screen.

   

4. Select Register Servers to add a disconnected SQL Server instance.

   

5. On this screen, you can choose to add a single or multiple SQL Server instances. Select the option for Multiple SQL Instances.

   

6. Select the Browse icon to upload the CSV file containing multiple disconnected SQL Server instances.

7. You must confirm that you have the rights to receive Extended Security Updates, using the checkbox provided.

Now you can continue to the Confirmation section.

Confirmation

1. We recommend you use a year-specific tag to link your SQL Server instances to your ESU invoice number for easy reference. For example:

   • First year: Year1OrderID
   • Second year: Year2OrderID
   • Third year: Year3OrderID

   Note

   If you use Azure services such as Azure Dedicated Host, Azure VMware Solution, Azure Nutanix Solution, and Azure Stack (Hub, Edge, and HCI), you can set the ESU invoice number to InvoiceNotNeeded.

   The Year2EntitlementConfirmed tag is automatically filled in.

   

2. Before you can add your SQL Server instances, you must agree to the terms of use and privacy policy.

   

3. Once you've added your SQL Server instances, you'll see them in the portal after a few minutes. Because they were added manually, they always show in a disconnected state, with the description Registered.

   

Formatting requirements for CSV file

• Values are comma-separated

• Values aren't single or double-quoted

• Values can include letters, numbers, hyphens (-), and underscores (_). No other special characters can be used. If you have a named instance, you must replace the backslash (\) with a hyphen (-). For example, MyServer\Instance01 becomes MyServer-Instance01.

• Column names are case-sensitive and must be named as follows:

  • name
  • version
  • edition
  • cores
  • hostType

Example CSV file

The CSV file should look like this:

name,version,edition,cores,hostType
Server1-SQL2012,SQL Server 2012,Enterprise,12,Other Physical Server
Server2-SQL2012,SQL Server 2012,Enterprise,24,Other Physical Server
Server3-SQL2012,SQL Server 2012,Enterprise,12,Azure Virtual Machine
Server4-SQL2012,SQL Server 2012,Standard,8,Azure VMware Solution

Link ESU invoice

You can use the Purchase Order Number under Invoice Summary in their Microsoft invoice (as shown in the following screenshot) to link the ESU purchase with the registration of SQL Server instances.

Follow these steps to link an ESU invoice to your Azure Arc SQL Server instances to get access to extended updates. This example includes both Connected and Registered servers.

1. Sign into the Azure portal.

2. Navigate to Azure Arc and select SQL Server instances.

3. Use the checkboxes next to each SQL Server instance you would like to link, and then select Link ESU invoice.

   

4. Fill in the ESU invoice number in the Invoice ID section, and then select Link invoice.

   

5. The servers you linked to the ESU invoice now show a valid ESU expiration date.

   

Important

If you purchased an ESU VL product for disconnected SQL Servers, you should only select the instances with the Status = Registered. If you purchased an ESU VL product for Arc-enabled SQL Servers, you should only select the instances with the Status = Connected.

Download ESUs

Once your SQL Server instances have been registered with Azure Arc, you can download the Extended Security Update packages using the link found in the Azure portal, if and when they're made available.

To download ESUs, follow these steps:

1. Sign into the Azure portal.

2. Navigate to Azure Arc and select SQL Server instances.

3. Select a server from the list.

   

4. Download security updates from here, if and when they're made available.

   

Supported regions

Arc-enabled SQL Server is available in the following regions:

• East US
• East US 2
• West US
• West US 2
• West US 3
• Central US
• North Central US
• South Central US
• West Central US
• Canada Central
• Canada East
• UK South
• France Central
• West Europe
• North Europe
• Switzerland North
• Central India
• Brazil South
• South Africa North
• UAE North
• Japan East
• Korea Central
• Southeast Asia
• Australia East

Important

For successful onboarding and functioning, assign the same region to both Arc-enabled Server and Arc-enabled SQL Server.

Government regions aren't supported. For more information, see Can customers get free Extended Security Updates on Azure Government regions?

Frequently asked questions

For the full list of frequently asked questions, review the ESU frequently asked questions.

See also

• SQL Server 2012 lifecycle page
• SQL Server end of support page
• Extended Security Updates frequently asked questions (FAQ)
• Microsoft Security Response Center (MSRC)
• Manage Windows updates by using Azure Automation
• SQL Server VM automated patching
• Microsoft Data Migration Guide
• Azure migrate: lift-and-shift options to move your current SQL Server into an Azure VM
• Cloud adoption framework for SQL migration
• ESU-related scripts on GitHub