The company has identified four flaws, with an overall "critical" rating, that threatens the security of any organisation running the database on the Internet or an Intranet.
The most serious is a buffer over-run in a section of code in SQL Server 2000 and Microsoft Desktop Engine 2000, which could allow an attacker to cause a server to fail or give a hacker the ability to overwrite memory on the server.
Other vulnerabilities occur in the database console commands and in the handling of scheduled jobs of SQL Server 7.0 and 2000.
The latest patch supersedes all previously released security patches for SQL Server 7.0 and 2000 database engines, Microsoft said. However, a Microsoft Security Bulletin warned: "applying this patch is not sufficient by itself to fully secure a SQL Server".
The Microsoft Security Bulletin is available at: www.microsoft.com/technet/security/bulletin/MS02-056.asp
The patches can be downloaded at:
Microsoft SQL Server 7.0:
Microsoft SQL Server 2000: