KB5058713: Fixes an issue in which uninitialized memory

KB5058713 - Description of the security update for SQL Server 2019 GDR: July 8, 2025

Applies To
- SQL Server 2019 on Windows SQL Server 2019 on Linux

Summary
This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2025-49719 - Microsoft SQL Server Information Disclosure Vulnerability
• CVE-2025-49718 - Microsoft SQL Server Information Disclosure Vulnerability
• CVE-2025-49717 - Microsoft SQL Server Remote Code Execution Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update.

• SQL Server - Product version: 15.0.2135.5, file version: 2019.150.2135.5

Improvements and fixes included in this update

• Bug reference: 4239001
  Description: Fixes an issue where under specific conditions an attacker can execute a query against the server to cause unavailability.
  Fix area: SQL Server Engine
  Component: Programmability
  Platform: All
• Bug reference: 4239670
  Description: Fixes an issue in which uninitialized memory is returned in some rare cases when using limited length parameters with REPLACE function.
  Fix area: SQL Server Engine
  Component: Programmability
  Platform: All
• Bug reference: 4053213
  Description: Fixes an issue in which uninitialized memory can be read in some rare cases when using variable length parameters.
  Fix area: SQL Server Engine
  Component: Query Execution
  Platform: All
• Bug reference: 4241788
  Description: Fixes an issue that was introduced in a previous Windows update that causes restarts and prevents Setup from continuing. After you apply this fix, the value of the PendingFileRenameOperations registry key is deleted when you apply updates to SQL Server.
  Fix area: SQL Setup
  Component: Patching
  Platform: Windows