Knowledge Base

Search Knowledge Base

KB #240012: How to apply a SQL Server Service Pack to an instance secured with “Validate Executable”

Type: Information
This article describes the issues involved in applying a Service Pack (SP) to an instance of SQL Server that was secured with “Validate SQL Server Executable”
Additional Information:
Always completely backup a production SQL Server and all databases before applying a SP or Hotfix, whether you are using Encryptionizer or not.  If you selected “Validate SQL Server Executable” when securing the instance with the Admin Wizard (SECADMIN.EXE), use the procedure below to apply a Service Pack or Hotfix. You will first need to completely unsecure the instance because Service Packs (and many Hotfixes) update SQLSERVR.EXE. Since it is now a different executable than before, Encryptionizer will no longer allow SQL to start. In fact, you will most likely receive a “cyclic redundancy check” error while applying the Service Pack.

At any point, please contact us if you have any questions or run into any problems. We will be glad to step you through the process over the phone.

Before You Start

  • If you secured SQL 2000 or SQL 7 without the Validate option, you should be able to apply a Service Pack normally with no issues.
  • If you secured SQL 2005 without the Validate option, use KB 240066 instead.

Applying the Service Pack or Hotfix

  1. Start SQL Server
  2. Detach the encrypted database
  3. Stop SQL Server
  4. Un-Secure the instance of SQL Server using the Encryptionizer Admin Wizard(SECADMIN.EXE)
  5. Apply the Service Pack or Hotfix
  6. Re-Secure the instance using the Encryptionizer Admin Wizard (SECADMIN.EXE)
  7. Reattach the encrypted database
  8. At this point, we recommend that you reapply the Service Pack or Hotfix. However, this is optional unless the encrypted database is a member of a replication topology, in which case it is required. Note that you will not need to unsecure the instance this time since sqlservr.exe has already been updated.

Common problems

  • You did not unsecure SQL Server before applying the Service Pack (step 4 above).
    This may result in receiving a “cyclic redundancy check” error during the application of the SP. In this case, run SECADMIN to Unsecure SQL Server and apply the SP again.
  • You did not detach an encrypted database before applying the Service Pack (step 2 above)
    This may result in an error that the database is corrupted, or unwritable. If SQL Server will permit it, ignore this message and allow the SP to continue. If SQL Server does not permit you to ignore it, detach the database and reapply the SP.


  • Most but not all Hotfixes update SQLSERVR.EXE. If Microsoft has provided a list of updated files in a readme you can check for SQLSERVR.EXE in the file list. If there is no readme you can often check by opening the Hotfix installer as an archive (e.g., with Winzip or WinRAR) and searching for SQLSERVR.EXE in the file list. If SQLSERVR.EXE is not updated, you can apply the Hotfix normally.
  • When resecuring the instance (step 6 above) you may want to consider unselecting the “Validate SQL Server Executable” flag unless you have determined that it is a critical part of your security strategy.
  • You should be able to reapply a Service Pack or Hotfix normally since SQLSERVR.EXEhas already been updated. However, if you are reapplying to an instance of SQL Server 2005, make sure to use the Service Pack Helper Service described in KB 240066.
  • If you are intalling Encryptionizer for the first time, we always recommend that you apply all outstanding Service Packs and Hotfixes to your installation of SQL Server before securing it with Encryptionizer.
Related Topics:
240066 How to apply a Service Pack/Hotfix to an Encryptionized instance of SQL Server 2005 or later
240064 Upgrading from SQL 2000 to SQL 2005 on an instance secured with Encryptionizer for SQL/MSDE
240065 Can’t access encrypted data or can’t start SQL Server 2005 after applying Service Pack


Last modified: 1/13/2016