This update brings the following changes since the 7.0.1 release:
Important — package version alignment: Starting with 7.0.2, the
Microsoft.Data.SqlClientdriver and its companion packages share a single aligned version. The following packages now ship together as7.0.2:
Microsoft.Data.SqlClientMicrosoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProviderMicrosoft.Data.SqlClient.Extensions.AzureMicrosoft.Data.SqlClient.Extensions.AbstractionsMicrosoft.Data.SqlClient.Internal.Logging(
Microsoft.SqlServer.Servercontinues to version independently and remains at1.0.0.)Applications must reference the same versions of
Microsoft.Data.SqlClientand its extensions for best compatibility. In particular, applications that referenceMicrosoft.Data.SqlClient.Extensions.Azuremust upgrade it to7.0.2when upgradingMicrosoft.Data.SqlClientto7.0.2.
Breaking change (.NET Framework only): As part of this alignment, the
AssemblyVersionofMicrosoft.Data.SqlClient.Extensions.Azure,Microsoft.Data.SqlClient.Extensions.Abstractions, andMicrosoft.Data.SqlClient.Internal.Loggingchanged from1.0.0.0to7.0.0.0(theMicrosoft.Data.SqlClientandMicrosoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProviderassembly versions are unchanged). On .NET Framework,AssemblyVersionis part of the strong-name identity, so applications that drop these assemblies into an existing deployment without rebuilding must rebuild against the 7.0.2 packages (or add binding redirects). Applications on .NET / .NET Core are not affected.
Companion package release notes
The following companion packages ship aligned as 7.0.2. See their individual release notes for package-specific changes (including the Microsoft.Data.SqlClient.Extensions.Azure WAM broker support):
- Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider 7.0.2
- Microsoft.Data.SqlClient.Extensions.Azure 7.0.2
- Microsoft.Data.SqlClient.Extensions.Abstractions 7.0.2
- Microsoft.Data.SqlClient.Internal.Logging 7.0.2
Fixed
-
Fixed a
NullReferenceExceptioninSqlCommand.Cancel(). The diagnostic message built during cancellation dereferenced the active connection directly; it now uses a null-conditional access so cancellation no longer throws when the connection has already been torn down.
(#4372,#4373) -
Fixed a
NullReferenceExceptioninSqlDataReaderwhen callingGetBytes/GetCharswith anulldestination buffer. The argument-validation path that constructs theInvalidDestinationBufferIndexexception now guards against the null buffer so the correctArgumentExceptionis surfaced instead of an NRE.
(#4159,#4206) -
Fixed Always Encrypted column master key signature verification incorrectly reusing cached results. The
SignatureVerificationCachelookup logic was corrected so signature verification outcomes are cached and retrieved against the correct key, preventing stale or mismatched verification results.
(#4339,#4343)
Changed
Hardened TDS token parsing with data-length bounds checks
What Changed:
- Added bounds checking when parsing TDS token and feature-extension-acknowledgment data lengths. The parser now validates the declared length of incoming token data against the available buffer before reading, rejecting malformed or out-of-range length values instead of reading past the intended boundary.
(#4340,#4358)
Who Benefits:
- All consumers benefit from improved resilience against malformed or hostile TDS responses. A server (or man-in-the-middle) sending an invalid token length can no longer drive the parser to read beyond the declared payload.
Impact:
- Connections that previously parsed malformed token streams loosely will now fail fast with a clear protocol error. Well-behaved SQL Server responses are unaffected.
Contributors
We thank the following public contributors. Their efforts toward this project are very much appreciated.
Target Platform Support
- .NET Framework 4.6.2+ (Windows x86, Windows x64, Windows ARM64)
- .NET 8.0+ (Windows x86, Windows x64, Windows ARM, Windows ARM64, Linux, macOS)
Dependencies
.NET 9.0
- Microsoft.Bcl.Cryptography 9.0.13
- Microsoft.Data.SqlClient.Extensions.Abstractions 7.0.2
- Microsoft.Data.SqlClient.Internal.Logging 7.0.2
- Microsoft.Data.SqlClient.SNI.runtime 6.0.2
- Microsoft.Extensions.Caching.Memory 9.0.13
- Microsoft.IdentityModel.JsonWebTokens 8.16.0
- Microsoft.IdentityModel.Protocols.OpenIdConnect 8.16.0
- Microsoft.SqlServer.Server 1.0.0
- System.Configuration.ConfigurationManager 9.0.13
- System.Security.Cryptography.Pkcs 9.0.13
.NET 8.0
- Microsoft.Bcl.Cryptography 8.0.0
- Microsoft.Data.SqlClient.Extensions.Abstractions 7.0.2
- Microsoft.Data.SqlClient.Internal.Logging 7.0.2
- Microsoft.Data.SqlClient.SNI.runtime 6.0.2
- Microsoft.Extensions.Caching.Memory 8.0.1
- Microsoft.IdentityModel.JsonWebTokens 8.16.0
- Microsoft.IdentityModel.Protocols.OpenIdConnect 8.16.0
- Microsoft.SqlServer.Server 1.0.0
- System.Configuration.ConfigurationManager 8.0.1
- System.Security.Cryptography.Pkcs 8.0.1
.NET Standard 2.0
- Microsoft.Bcl.Cryptography 8.0.0
- Microsoft.Data.SqlClient.Extensions.Abstractions 7.0.2
- Microsoft.Data.SqlClient.Internal.Logging 7.0.2
- Microsoft.Data.SqlClient.SNI.runtime 6.0.2
- Microsoft.Extensions.Caching.Memory 8.0.1
- Microsoft.IdentityModel.JsonWebTokens 8.16.0
- Microsoft.IdentityModel.Protocols.OpenIdConnect 8.16.0
- Microsoft.SqlServer.Server 1.0.0
- System.Configuration.ConfigurationManager 8.0.1
- System.Security.Cryptography.Pkcs 8.0.1
- System.Text.Json 10.0.3
- System.Threading.Channels 10.0.3
.NET Framework 4.6.2+
- Microsoft.Bcl.Cryptography 8.0.0
- Microsoft.Data.SqlClient.Extensions.Abstractions 7.0.2
- Microsoft.Data.SqlClient.Internal.Logging 7.0.2
- Microsoft.Data.SqlClient.SNI 6.0.2
- Microsoft.Extensions.Caching.Memory 8.0.1
- Microsoft.IdentityModel.JsonWebTokens 8.16.0
- Microsoft.IdentityModel.Protocols.OpenIdConnect 8.16.0
- System.Buffers 4.6.1
- System.Data.Common 4.3.0
- System.Diagnostics.DiagnosticSource 10.0.3
- System.Memory 4.6.3
- System.Runtime.InteropServices.RuntimeInformation 4.3.0
- System.Security.Cryptography.Pkcs 8.0.1
- System.Text.Json 10.0.3
- System.Threading.Channels 10.0.3
- System.ValueTuple 4.6.2