SQL Server Support for TLS 1.2: Read This First!

AaronBertrand

In January 2016, Microsoft announced that TLS 1.2 would now be supported in specific builds of SQL Server 2008, 2008 R2, 2012, and 2014. Personally, I was pleasantly surprised to see this support back-ported to 2008 and 2008 R2; I was convinced that those customers would just be urged to upgrade if TLS coverage was that important to them. So this is great news.

Before you rush out and deploy, though, there are a few issues you should be aware of.

• UPDATE November 17th, 2018 - the explicit TLS patches are currently unavailable across all affected versions (all my attemtps to find them yield "This Hotfix is no longer available"). If you are in need of a TLS 1.2 patch that is *not* a part of a subsequent service pack or cumulative update (as is the case with 2008 or 2008 R2, which are nearing end of life), you will need to contact Microsoft Support (or upgrade).
• UPDATE March 2, 2016 - if you were looking for the downloads to apply to 2008 or 2008 R2 after February 13th, you would have only found the patches for SQL Native Client (they have "SNAC" in the name). This was because the patches were pulled due to an issue involving sporadic service termination. This issue has been addressed, and the downloads have now been restored. Here is what had been posted on the official release services blog post on February 13th:

  Update: February 13, 2016: We have two customers that have reported unexpected service terminations for SQL Server 2008 and SQL Server 2008 R2 after installing the above updates. We are actively working on investigating the reported issues. Although the service terminations have not been conclusively correlated to this update, till the root cause is identified we are being proactive and disabling the downloads for both SQL Server 2008 and SQL Server 2008 R2. If you have an affected environment, please uninstall the installed update.

  Today, this update appeared, so it appears safe to go back into the water:

  Update: March 2, 2016: [...] The following SQL Server database engine versions are affected by the intermittent service termination issue that is reported in KB3146034. For customers to protect themselves from the service termination issue, we recommend that they install the TLS 1.2 updates for Microsoft SQL Server that are mentioned in this article if their SQL Server version is listed in the following table.

  [For x86 and x64, the post lists 10.0.6543 and 10.50.6537. IA-64 builds are also listed.]

• UPDATE February 22, 2016 - If you are running SQL Server 2014 and are on a CU path, new Cumulative Updates have been released for both RTM and SP1 that address the encrypted endpoint issues mentioned in KB #3135852.
• UPDATE February 18, 2016 - If you are running SQL Server 2008 or 2008 R2, a problem has surfaced after the application of the latest updates. As a result, the downloads for those versions have been pulled, and a fix is being investigated. I missed an update to
• If you are running SQL Server 2014, using encrypted endpoints for Availability Groups, Database Mirroring, or Service Broker, and are not eligible for the GDR updates (in other words, you are already at a build higher than 12.0.4219 for SP1 or 12.0.2271 for RTM), you should not rush out and deploy TLS 1.2. There is a known issue reported in KB #3135852 - for the CU branches of SQL Server 2014, this issue has been addressed in RTM CU #12 and SP1 CU #5 (see this post for more details). The Knowledge Base article doesn't currently address this point, because changes to KBs have a lot of red tape (the blog post has been updated to warn about this issue).
• You might find that SQL Server Agent will not start after enabling only TLS 1.2. The fix, according to Amit Banerjee, is to install the updated SQL Server Native Client drivers for your operating system from KB #3135244. You should do that anyway.
• Management Studio and other client tools might be unable to connect. Amit Banerjee (again!) tells us that the fix is to install the proper .NET framework hotfix, again from KB #3135244. You should do that anyway.
• If you are trying to get IIS and SQL Server to communicate using only TLS 1.2 on the same box, you might have to abandon that plan and move IIS, at least according to this answer on dba.stackexchange (he also left some details on this post).
• To avoid most of these issues, just update SQL Server Native Client, ODBC/JDBC, and .NET Framework hotfixes on all clients that will ever come into contact with SQL Server instances where TLS 1.2 is enabled. Or on all machines period. Again, you can get these fixes from KB #3135244.

Decision Matrix

It seems straightforward, but as of today, not all builds will enable you to rush out and convert to TLS 1.2 exclusively. Here is what I suggest for each set of builds (in addition to patching .NET Framework, SQL Server Native Client, ODBC, and JDBC on all machines):

SQL Server 2014 Service Pack 1
12.0.4416 => 12.0.4438	You are on a CU path. You should apply *at least* Cumulative Update #5 or later (full listing here), or better yet, Service Pack 3.
12.0.4050 => 12.0.4218	You are on SP1 RTM or the SP1 GDR path. For full support now, install the SP1 GDR TLS 1.2 Update (12.0.4219). Though I would opt for the latest service pack and cumulative update, and deploy that instead, especially if the encrypted endpoint issue above might affect you.
SQL Server 2014 RTM
12.0.2546 => 12.0.2563	You are on a CU path. You should apply Cumulative Update #14 or just move to Service Pack 3.
12.0.2342 => 12.0.2545	You are on a CU path but no TLS 1.2 support. You could add that support if you move to a later CU (CU #8 or higher); I would recommend Service Pack 3.
12.0.2000 => 12.0.2270	You are on RTM or the RTM GDR path. For full support now, install the RTM GDR TLS 1.2 Update (12.0.2271). Though I would opt for Cumulative Update #12, and deploy that instead, especially if the encrypted endpoint issue above might affect you.install the latest Cumulative Update or Service Pack 3.
SQL Server 2012 Service Pack 3
11.0.6216 => 11.0.6518	You have full support for TLS 1.2.
11.0.6020 => 11.0.6215	Here, you have a choice; you can install the SP3 GDR TLS 1.2 Update (11.0.6216) or apply SP3 Cumulative Update #1 (11.0.6518). I prefer the cumulative update, personally, especially given Microsoft's new stance on CUs and the fact that you'll get more fixes for the same level of regression testing.
SQL Server 2012 Service Pack 2
11.0.5644 => 11.0.5644	You have full support for TLS 1.2.
11.0.5353 => 11.0.5643	For full support, apply SP2 Cumulative Update #10 (11.0.5644).
11.0.5058 => 11.0.5351	Here, you have a choice; you can install the SP2 GDR TLS 1.2 Update, when it is published again (11.0.5352), or apply SP2 Cumulative Update #10 (11.0.5644). I prefer the cumulative update, personally, especially given Microsoft's new stance on CUs and the fact that you'll get more fixes for the same level of regression testing.
SQL Server 2012 RTM & Service Pack 1
11.0.2100 => 11.0.5057	Your only choice for TLS 1.2 support is to move to Service Pack 2 or, preferably, Service Pack 3, and then apply the TLS update.
SQL Server 2008 R2 Service Pack 3
10.50.6000 => 10.50.6541	For full support, apply the SP3 TLS 1.2 Update (10.50.6542).
SQL Server 2008 R2 RTM, Service Pack 1, and Service Pack 2
10.50.1600 => 10.50.5999	Your only choice for TLS 1.2 support is to move to Service Pack 3 and then apply the TLS update.
SQL Server 2008 Service Pack 4
10.0.6000 => 10.0.6546	For full support, apply SP4 TLS 1.2 Update (10.0.6547).
SQL Server 2008 RTM, Service Pack 1, Service Pack 2, and Service Pack 3
10.0.1600 => 10.0.5999	Your only choice for TLS 1.2 support is to move to Service Pack 4 and then apply the TLS update.

Running 2008 or 2008 R2 on Itanium (IA-64)? See KB #3135244 for download links.

Don't see your build in any of the above ranges? Please let me know in the comments below.