Error message when you try to install a SQL Server 2008/2008 R2 cumulative update or service pack: “The NT service 'MSSQL' could not be started"
Error message when you try to install a SQL Server 2008/2008 R2 cumulative update or service pack: “The NT service 'MSSQL' could not be started"
We encountered an issue while working on a SQL 2008 patching. While running SP4 setup files suddenly a window populated with message
The NT service MSSQL could not be started
While checking the configuration manager, found all SQL services are up and running fine. SQL version, SQL logs and sqlserver.exe everything updated and on the latest patch level (10.0.5000).
Again, we run the CU4 for the same SQL instance, hoping that might be a one time issue and if CU4 succeeded it will cover our previous SP issue. But our hard luck again we encountered the same popup and upgrade failed with same error message.
But as I discussed above while checking SQL after Sp4 and CU4, again everything updated including SQL version, Sqlserver.exe and start-up logs on the latest patch level (10.0.5770).
Now, we were in doubt condition whether patching completed or not. If yes than why error and what would be the root cause for this issue to avoid in future for other servers?
Below is our observations and solution:
When you try to install/upgrade a Microsoft SQL Server 2008/ 2008 R2 cumulative update or service pack (example SP3 and CU3), you receive an error message that resembles ‘The NT service 'MSSQL' could not be started’
In this case, check the summary.txt (C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log)
You could observe logs as below:
Overall summary:
Final result: The patch installer has failed to update the following instance:. To determine the reason for failure, review the log files.
Exit code (Decimal): -2068709375
Exit facility code: 1202
Exit error code: 1
Exit message: The NT service 'MSSQL' could not be started.
Requested action: Patch
Additionally, can observe below error message that resembles in the Details log (placed at (C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\Instancenamefolder]Details.txt)
Slp: The following NT service was in a stopped state prior to patch action: SQLServer
Slp: Sco: Attempting to open SC Manager
Slp: Attempting to run patch request for instance: Instancename
Slp: Error: Failed to run patch request for instance: SQLinstance (exit code: -2068709375)
Above logs clearly says while patching installer not able to start and stop the NT services, which seems to be issue with the permissions of the account running the upgrade. While checking the permissions and goggling we found that account used for patching should have administrative rights on SQL and Windows server including below permissions in local policy
Backup files and directories (SeBackupPrivilege)
Debug Programs (SeDebugPrivilege)
Manage auditing and security log (SeSecurityPrivilege)
While comparing the above permissions we found our patching account does not have rights on the Debug Programs (Local policy) i.e. causing issues while for NT services start/stop.
To resolve this we approached our AD team to provide our group access on the above and applied CU9 on the same instance and completed successfully
CAUSE:
This problem may occur if the account which is used for patching does not have administrative rights and below permissions in local policy
Backup files and directories (SeBackupPrivilege)
Debug Programs (SeDebugPrivilege)
Manage auditing and security log (SeSecurityPrivilege)
WORKAROUND
To work around this problem, check the account permissions used for patching
Firstly, account used for patching should be part of administrative group and can be checked:
Computer management (compmgmt.msc) --> Local Users and Groups --> Administrator
Secondly, patching account should have permissions on below Local policies:
Backup files and directories (SeBackupPrivilege)
Debug Programs (SeDebugPrivilege)
Manage auditing and security log (SeSecurityPrivilege)
Local policies can be accessed from below path
Control Panel--> Administrative Tools --> Local Security -->Settings --> Local Policies --> User Rights Assignment
Incase patch already applied than uninstall the CU3 from control panel and reapply the patch once you have all above permissions (although that’s bit tricky but confirms you about the applied patch)