GDI+ Updated Again

Last year, I wrote about Microsoft Update 956391, a security update to GDI+ that the Report Viewer client print control depends on.  For security reasons, that update forced us to enable a kill bit for the client print control.  A new security update is being released for GDI+ today via Microsoft Update MS09-062 (KB 957488).  But this time, we’ve taken some additional steps this time to hopefully provide a less impactful and smoother transition.

Why we include GDI+ in the first place

The client print control receives EMF files from the report server or report viewer control and uses GDI+ to display them in print preview or to send the data to the printer.  Reporting Services and the ReportViewer control are supported on a number of operating systems, going back to Windows 2000.  While gdiplus.dll has shipped with newer Windows operating systems, it did not ship with Windows 2000. 

Previous releases of Reporting Services have included GDI+ in the ActiveX control package to ensure that the control works across all supported operating systems without any additional installation by the end user.  Printing on Windows 2003, XP, or any newer operating system uses the GDI+ assembly that ships with the operating system, ignoring the one deployed with the ActiveX control.

What we changed this time

Beginning with SQL Server Reporting Services 2008, we stopped shipping GDI+ with the print control.  So SSRS 2008 is not affected by this update.  Reporting Services 2000 and 2005, as well as the Visual Studio 2008 Report Viewer control all ship the print control with GDI+ so they are being updated.  The report viewer that ship with VS 2005 is also being updated so that it can connect to an updated report server.
Like the previous update, this change modifies the CLSID associated with the print control.  The following table shows the affected values:

Version CLSID
Originally shipped CLSID {FA91DF8D-53AB-455D-AB20-F2F023E498D3}
CLSID after previous update {41861299-EAB2-4DCC-986C-802AE12AC499}
New CLSID {0D221D00-A6ED-477C-8A91-41F3B660A832}

Our GDI+ dependency going forward

The print control will continue to require GDI+ going forward.  But due to the obvious impact to our customers as well as the number of different products we need to update during any GDI+ security bulletin, we will no longer be shipping gdiplus.dll with any version of the print control.  That is, this patched version of the ActiveX print control does not include the updated version of gdiplus.dll.  As a result, any future changes to GDI+ will not require an update to any reporting services product.

Most of our users should see no impact to this because the print control is using gdiplus.dll from the operating system and not the one deployed with the ActiveX download.  But from this point forward, browsers running on Windows 2000 may need to install GDI+ separately.  While it’s not ideal to require end users to perform a separate installation, we feel this provides the best experience to the majority of our customers in the case of future security updates.  And in many cases, GDI+ will already have been installed on Windows 2000 machines via the .Net Framework or other such installation.

The transition

As with the previous update, we will be issuing the IE kill bit for the old print control.  But because the GDI+ assembly included with the print control is only used on Windows 2000 machines, only that operating system will receive the kill bit.  All other operating systems can continue to use the existing print control without any changes.  The kill bit is not being issued until February 2010, in order to provide you with sufficient time to update your environments.  Once the kill bit is issued, Windows 2000 machines connecting to unpatched reporting services installations will receive the “Unable to load client print control” error message when attempting to print.

What you need to do

It’s the client operating system, not the one running the report server, that determines whether you will need to update anything.  If you don’t expect to have any clients running Windows 2000, you don’t have to update anything.  But if you do and you are using one of the products in the “What we updated this time” section above, then you will need to patch your report server and report viewer.

SQL Server 2000 SP2:

SQL Server 2005 SP2:

SQL Server 2005 SP3:

Visual Studio 2005 SP1:

Visual Studio 2008:

Visual Studio 2008 SP1:

Report Viewer 2005 SP1 Redistributable:

Report Viewer 2008 Redistributable:

Report Viewer 2008 SP1 Redistributable:

GDI+ Standalone Installation: