Welcome to SqlServerFaq.net

While installing security patch KB 948109 on the sql server 2005, the installation of the patch may fail. In order to find the cause of the failure we need to look into the setup bootstrap logs which are located in the following location

C:\Progarm Files\Microsoft Sql Server\90\Setup Bootstrap\LOG\Hotfix\Summary.txt

One of the cause of the failure can be Error 29527 which is reported in the summary.txt as shown

Following error reported in the sumary.txt

 

·               **********************************************************************************

·               Product Installation Status

·               Product                   : SQL Server Database Services 2005 (ACT7)

·               Product Version (Previous): 3042

·               Product Version (Final)   :

·               Status                    : In Progress

·               Log File                  : C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix\SQL9_Hotfix_KB948109_sqlrun_sql.msp.log

·               SQL Express Features      :

·               Error Number              : 29527

 

CAUSE:

====================

 

The issue is caused due to improper installation of support files as there may be missing files and dll’s in the 90 folder located in

 

c:\program files\Microsoft sql server\90

 

 

RESOLUTION/WORKAROUND:

====================

 

We need to install a new instance of the sql server of the same edition and same built on the same system on which the original instance which need to be patched lies (i.e with required Service pack ) side by side which populates the 90 folder with correct files and dll’s.

 

Alternatively, we can also reinstall the support files  by running the SqlSupport.msi file located in the media for sql server 2005 setup.

 

The SqlSupport.msi is generally located in <cd-drive>:\servers\Setup\SqlSupport.msi

 

After installing the new instance or reinstalling the Support files by running SqlSupport.msi

We need to install security patch 948109 on the original instance on which it was failing previously, the installation of the security patch will succeed.

The ACT7 software installs sql server 2005 express edition along with the installation of ACT7 software. When we try to apply the latest security patch 948109 released by Microsoft for sql server 2005, the installation may fail.

In order to find the cause of the installation we need to look into the setup boothstrap logs located in the folder c:\program files\microsoft sql server \90\setup bootstrap\log\hotfix\Summary.txt.

When we check the summary.txt we may find the following error reported

Product Installation Status

Product                   : SQL Server Database Services 2005 (ACT7)

Product Version (Previous): 3042

Product Version (Final)   :

Status                    : Failure

Log File                  : C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix\SQL9_Hotfix_KB948109_sqlrun_sql.msp.log

SQL Express Features      :

Error Number              : 29533

Error Description         : MSP Error: 29533 Service ‘TEST-PC\ACT7′ could not be stopped. Verify that you have sufficient privileges to stop system services. The error code is (16386)

———————————————————————————-

Product                   : SQL Server Tools and Workstation Components 2005

Product Version (Previous): 3068

Product Version (Final)   :

Status                    : Not Selected

Log File                  :

SQL Express Features      :

Error Description         :

 

 

CAUSE:

====================

 

When ACT7 software is installed on the system and the sql server instance is used by ACT7 software, it deletes all the Windows logins (for security reasons) including the BUILTIN\Administrator account for that instance of the sql server instance, generally the instance name is ACT7.

 

During the installation of the security patch 948109 the setup.exe tries to login to the sql server using the credential of the windows user with which we are trying to install the security patch. However it will not be able to login to the sql server since there is windows login for the user with which it will try to login

 

Also it is difficult to enter in the sql server instance as the sql user ‘sa’ password are not known to the end users and there is no means by which we can enter into the sql server instance

RESOLUTION/WORKAROUND:

====================

 

So to resolve or workaround this we need to add the Windows login account as a sql server login with which we are installing the security patch.

 

So to add the windows login as sql server login for the sql server 2005 express edition instance ACT7 which is installed alongwith ACT7 we can use the following procedure

 

Stop the sql server service and start the sql server from command line as shown

 

C:\program files\microsoft  sql  server\MSSQL.1\MSSQL\Binn\Sqlservr.exe -s ACT7 -m -c

 

we then need to login into the sql server using sqlcmd using the following commands

 

sqlcmd -S <computer-name>\ACT7 -E

 

create login [<Windows user name>] from windows from e.g

Create login [TEST-PC\SAM] from Windows

 

grant sysadmin to windows login just created above

Sp_addsrvrolemember ‘SAM-PC\SAM,’sysadmin’

 

Stop the sql server from command line and start the sql server service again

 

You can then start the installation of service pack or hotfix and it should work

 

Note: ACT7 software tries to delete the windows login periodically and the login which we just created above might get deleted in say 15 mins so need to make sure the installation is sstarted immediately after adding the login

 

We have a production database in which the data is encrypted. The encryption follows the following hierarchy

 

1) The data is encrypted using Symmetric key

2) The symmetric key was encrypted using asymmetric key

3) The asymmetric key was encrypted using the master key of the database

4) The master key of the database was encrypted using user defined password

 

 We created a MASTER KEY for the test database which encrypted using password

 

o    Use test

o    create master key encryption by password=’password’

 

·          We then created a asymmetric key which is encrypted by MASTER KEY of the database

 

o    Use test

o    open master key decryption by password=’password’

o    create asymmetric key MSSQL with algorithm = RSA_2048

o    go

 

·          In a test database with data, we then create a  symmetric key which  is used to encrypt the data

 

o    Use test

o    create symmetric key MSSQLSYM WITH ALGORITHM = AES_256 encryption by asymmetric key MSSQL.

o    go

 

 

·          We can check the presence of the keys

 

o    Select * from sys.symmetric_keys

o    Select * from sys.asymmetric_keys

 

·           We took the backup of the production database test and wanted to restore the database in the test environment.

 

·         However we wanted to change the password with which the master key is encrypted on the test environment so that password of the original database is not available to the developer who use the database in test environment.

 

·          We then restored the backup of the database test on other instance for the first time. By creating a new database and not overwriting on the existing database

 

·          When we restore the backup in the new instance we want to regenerate the master key of the database so we fire the following commands

 

o    open master key decryption by password=’password’

o    alter master key regenerate with encryption by password = ‘password’

o    close master key

 

 

·          However when we take a backup again from the original server and restore it on the new server by overwriting on the existing database when we fire the same set commands to regenerate the master key we received the following commands

 

o    open master key decryption by password=’password’

o    alter master key regenerate with encryption by password = ‘password’

 

o    Msg 15320, Level 16, State 2, Line 1

o    An error occurred while decrypting asymmetric key ‘MSSQL’ that was encrypted by the old master key. The FORCE option can be used to ignore this error and continue the operation, but data that cannot be decrypted by the old master key will become unavailable.

 

 

·          When we query sys.databases table in the source database and checked the column is_master_key_encrypted_by_server. We found that it was set 1 which means the Master key was encrypted using password along with the service master key of the sql server.

 

·          When we restored the database to the new server for the first time. When we checked the is_master_key_encrypted_by_server column from the sys.database we found the column value was 0 which indicates that MASTER KEY was encrypted only using password and not the SERVICE MASTER KEY of the sql server.

 

·          Therefore we regenerated the MASTER KEY it worked fine without any error. Also after regenerating the master key when we check the table sys.databases again we find that column is_master_key_encrypted_by_server is set to 1 which means that the regeneration encrypts the master key by password and the SERVICE MASTER KEY of the TEST sql server instance

 

·          However when we restore the database on the existing database by overwrting on it. The master key is encrypted using password and SERVICE MASTER KEY so the regeneration fails.

 

·         So in order to regenerate the master key of the database we first need to drop the encryption of the service master key using the following command

 

·          alter master key drop encryption by service master key

 

·          and after dropping the encryption of service master key explicitly when we regenerate the master key using the same command which is used by cx it works fine

 

·          alter master key regenerate with encryption by password = ‘password’