The Microsoft spokesman didn't directly respond to a question about whether the company had a patch in hand, as Mueller claimed, but instead said, "At this time, security updates are not available for the affected versions listed in ."

Although it is true that Microsoft has not yet issued an update to the affected software -- which includes , SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database -- one security expert said he's betting that the company will release one soon.

"We expect that Microsoft is currently working on patch and will release it out of band," said , chief technology officer at security company Qualys Inc.

So-called "out-0f-band" or "out-of-cycle" updates are those that Microsoft issues on days other than its regularly scheduled monthly Patch Tuesday. Microsoft's next scheduled update is set for Jan. 13, 2009, nearly three weeks from today.

Microsoft has released two out-of-cycle emergency updates in the last two months, the most recent a fix issued a week ago to in all versions of Internet Explorer. The IE vulnerability, however, was already being exploited by hackers prior to the patch's release; Microsoft has said it has no reports of in-the-wild exploitation of the SQL Server bug.