Merge pull request #34636 from MicrosoftDocs/main

Merged by Learn.Build PR Management system

Author: learn-build-service-prod[bot]

docs/includes/entra-id-tutorial.md

@@ -103,7 +103,7 @@ Or,
 
    1. For the **Method of certificate creation**, use **Generate**.
 
-   1. Add a certificate name and subject.
+   1. Add a certificate name and subject. The certificate name must be unique. A certificate name that matches an existing certificate causes an error when the login is created.
 
    1. The recommended validity period is at most 12 months. The rest of the values can be left as default.
 

docs/relational-databases/performance/optimized-locking.md

@@ -4,7 +4,7 @@ description: "Learn about the optimized locking enhancement to the database engi
 author: MikeRayMSFT
 ms.author: mikeray
 ms.reviewer: randolphwest, peskount, praspu, dfurman
-ms.date: 04/14/2025
+ms.date: 07/07/2025
 ms.service: sql
 ms.subservice: performance
 ms.topic: conceptual
@@ -235,6 +235,19 @@ LAQ is disabled for the database if the percentage of the potentially wasted wor
 
 If the wasted work and the number of restarted statements fall below their respective thresholds, LAQ is re-enabled for the database.
 
+#### LAQ limitations
+
+Lock after qualification might not be used in the following scenarios:
+
+- When disabled by [LAQ heuristics](#laq-heuristics).
+- When conflicting locking hints, such as `UPDLOCK`, `READCOMMITTEDLOCK`, `XLOCK`, or `HOLDLOCK` are used.
+- When the transaction isolation level is other than `READ COMMITTED`, or when the `READ_COMMITTED_SNAPSHOT` database option is disabled.
+- When the table being modified has a columnstore index.
+- When the DML statement includes variable assignment.
+- When the DML statement has an `OUTPUT` clause.
+- When the DML statement uses more than one index seek or scan operator to read the rows being modified.
+- In `MERGE` statements.
+
 ### <a id="behavior"></a> Query behavior changes with optimized locking and RCSI
 
 Concurrent workloads under read committed snapshot isolation (RCSI) that rely on strict execution order of transactions might experience differences in query behavior when optimized locking is enabled.
@@ -304,7 +317,7 @@ The following improvements help you monitor and troubleshoot blocking and deadlo
     - Under each resource in the deadlock report `<resource-list>`, each `<xactlock>` element reports the underlying resources and specific information for locks of each member of a deadlock. For more information and an example, see [Optimized locking and deadlocks](../sql-server-deadlocks-guide.md#optimized-locking-and-deadlocks).
 - Extended events
     - The `lock_after_qual_stmt_abort` event fires when a statement is internally aborted and restarted because of a conflict with another transaction. For more information, see [Lock after qualification (LAQ)](#lock-after-qualification-laq).
-    - In [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)], the `locking_stats` event fires for every database every several minutes and provides aggregate locking statistics for the time interval, such as the number of lock escalations, whether TID locking and LAQ components of optimized locking are enabled, and the number of queries that were ineligible for LAQ for various reasons. This event fires even if optimized locking is disabled.
+    - In [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)], the `locking_stats` event fires for every database every several minutes and provides aggregate locking statistics for the time interval, such as the number of lock escalations, whether TID locking and LAQ components of optimized locking are enabled, and the number of queries where LAQ wasn't used for various reasons. This event fires even if optimized locking is disabled.
 
 ## Best practices with optimized locking
 

docs/relational-databases/polybase/polybase-guide.md

@@ -4,7 +4,7 @@ description: PolyBase enables your SQL Server instance to process Transact-SQL q
 author: MikeRayMSFT
 ms.author: mikeray
 ms.reviewer: hudequei, randolphwest
-ms.date: 04/29/2025
+ms.date: 07/08/2025
 ms.service: sql
 ms.subservice: polybase
 ms.topic: "overview"
@@ -55,7 +55,7 @@ PolyBase provides these same functionalities for the following SQL products from
 | --- | --- |
 | Native support for CSV, Parquet, & Delta <sup>1</sup> | PolyBase Query Service for External Data installation is no longer required to use OPENROWSET, CREATE EXTERNAL TABLE, or CREATE EXTERNAL TABLE AS SELECT with the following types of external data: Parquet, Delta, Azure Blob Storage (ABS), Azure Data Lake Storage (ADLS), or S3-Compatible Object storage. |
 | Use generic ODBC data sources on Linux | For more information, see [Configure PolyBase to access external data with ODBC generic types](polybase-configure-odbc-generic.md). |
-|TDS 8.0 Support|When using [Microsoft ODBC Driver 18 for SQL Server driver](/sql/connect/odbc/windows/features-of-the-microsoft-odbc-driver-for-sql-server-on-windows).<br /><br /> TDS 8.0 is not supported for sqlserver as [external data source](/sql/t-sql/statements/create-external-data-source-transact-sql).|
+| TDS 8.0 support | When using [Microsoft ODBC Driver 18 for SQL Server](../../connect/odbc/windows/features-of-the-microsoft-odbc-driver-for-sql-server-on-windows.md), TDS 8.0 isn't supported for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] as an [external data source](../../t-sql/statements/create-external-data-source-transact-sql.md). |
 
 <sup>1</sup> On [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)], PolyBase Query Service for External Data is still required to connect with other databases. For example: SQL Server, Oracle, DB2, Teradata, MongoDB, or ODBC.
 
@@ -69,7 +69,7 @@ PolyBase provides these same functionalities for the following SQL products from
 | Delta table format | PolyBase is now capable of querying (read-only) data from Delta Table format stored on S3-compatible object storage, Azure Storage Account V2, and Azure Data Lake Storage Gen2. For more information, see to [Virtualize delta table with PolyBase](virtualize-delta.md) |
 | Create External Table as Select (CETAS) | PolyBase can now use CETAS to create an external table and then export, in parallel, the result of a [!INCLUDE [tsql](../../includes/tsql-md.md)] SELECT statement to Azure Data Lake Storage Gen2, Azure Storage Account V2, and S3-compatible object storage. For more information, see [CREATE EXTERNAL TABLE AS SELECT (CETAS)](../../t-sql/statements/create-external-table-as-select-transact-sql.md). |
 
-For more new features of [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)], see [What's new in SQL Server 2022?](../../sql-server/what-s-new-in-sql-server-2022.md)
+For more new features of [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)], see [What's new in SQL Server 2022](../../sql-server/what-s-new-in-sql-server-2022.md).
 
 > [!TIP]  
 > For a tutorial of PolyBase features and capabilities in [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)], see [Get started with PolyBase in SQL Server 2022](polybase-get-started.md).

docs/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-setup-tutorial.md

@@ -15,4 +15,4 @@ monikerRange: ">=sql-server-ver16||>= sql-server-linux-ver16"
 
 [!INCLUDE [SQL Server 2022](../../../includes/applies-to-version/sqlserver2022.md)]
 
-[!INCLUDE [entra-id-tutorial](../../../includes/entra-id-tutorial.md)]
+[!INCLUDE [entra-id-tutorial](../../../includes/entra-id-tutorial.md)]

docs/relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md

@@ -46,6 +46,15 @@ Versions 1.0.0.440 and older have been replaced and are no longer supported in p
 1. Start SQL Server service.
 1. Test encrypted databases are accessible.
 
+If your database is in a `RECOVERY PENDING` state, you need to run an `ALTER` command on the cryptographic provider. Replace *AzureKeyVault_EKM* with the name of your actual cryptographic provider, which you can find in the [sys.cryptographic_providers](../../../relational-databases/system-catalog-views/sys-cryptographic-providers-transact-sql.md) system view.
+
+``` sql
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM DISABLE;  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM ENABLE;
+```
+Restart the SQL Server service after modifying the cryptographic provider.
+
 ### Rollback
 
 1. Stop SQL Server service using **SQL Server Configuration Manager**.

docs/relational-databases/security/encryption/sql-server-connector-registry-modification.md

@@ -4,7 +4,7 @@ description: This article describes enabling errors and logging for SQL Server C
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: vanto
-ms.date: 08/23/2021
+ms.date: 07/08/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: how-to
@@ -27,44 +27,58 @@ Use the [Azure Key Vault forum](https://social.msdn.microsoft.com/Forums/AzureKe
 
 ## Upgrade SQL Server Connector to the latest version
 
-To upgrade the SQL Server Connector (Version: 1.0.5.0 with a Date Published: September 2020) to the latest version DLL Crypto provider, follow these steps.
+To upgrade the SQL Server Connector (Version: 1.0.5.0 with a Date Published: January 2025) to the latest version DLL Crypto provider, follow these steps.
 
 ### Upgrade
 
-1. Stop SQL Server service using SQL Server Configuration Manager
-1. Uninstall the old version using **Control Panel\Programs\Programs and Features**
+1. Stop SQL Server service using **SQL Server Configuration Manager**.
+1. Uninstall the old version using **Control Panel** > **Programs** > **Programs and Features**.
     1. Application name: SQL Server Connector for Microsoft Azure Key Vault
-    1. Version: 15.0.300.96 (original 1.0.5.0 version)
-    1. DLL file date: 01/30/2018 3:00 PM
-1. Install (upgrade) new SQL Server Connector for Microsoft Azure Key Vault
-    1. Version: 15.0.2000.440 (or latest version)
-    1. DLL file date: 09/11/2020 ‏‎5:17 AM (or later)
-1. Start SQL Server service
-1. Test encrypted DB(s) is/are accessible
+    1. Version: 15.0.300.96 (or older)
+    1. DLL file date: January 30 2018 (or older)
+1. Install (upgrade) new SQL Server Connector for Microsoft Azure Key Vault.
+    1. Version: 15.0.2000.440
+    1. DLL file date: November 9 2024
+1. Start SQL Server service.
+1. Test encrypted databases are accessible.
+
+If your database is in a `RECOVERY PENDING` state, you need to run an `ALTER` command on the cryptographic provider. Replace *AzureKeyVault_EKM* with the name of your actual cryptographic provider, which you can find in the [sys.cryptographic_providers](../../../relational-databases/system-catalog-views/sys-cryptographic-providers-transact-sql.md) system view.
+
+``` sql
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM DISABLE;  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM ENABLE;
+```
+Restart the SQL Server service after modifying the cryptographic provider.
 
 ### Rollback
 
-1. Stop SQL Server service using SQL Server Configuration Manager
-1. Uninstall the new version using **Control Panel\Programs\Programs and Features**
+1. Stop SQL Server service using **SQL Server Configuration Manager**.
+1. Uninstall the new version using **Control Panel** > **Programs** > **Programs and Features**.
     1. Application name: SQL Server Connector for Microsoft Azure Key Vault
     1. Version: 15.0.2000.440
-    1. DLL file date: 09/11/2020 ‏‎5:17 AM
-1. Install old version of SQL Server Connector for Microsoft Azure Key Vault
+    1. DLL file date: November 9 2024
+
+1. Install old version of SQL Server Connector for Microsoft Azure Key Vault.
     1. Version: 15.0.300.96
-    1. DLL file date: 01/30/2018 3:00 PM
-1. Start SQL Server service
-1. Test encrypted DB(s) is/are accessible
+    1. DLL file date: January 30 2018
+1. Start SQL Server service.
+1. Check that the databases using TDE are accessible.
+
+1. After validating that the update works, you can delete the old [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] **Connector** folder (if you chose to rename it instead of uninstalling in Step 3).
 
 > [!NOTE]
 > - SQL Server Connector versions 1.0.0.440 and older have been replaced and are no longer supported in production environments. For more information on troubleshooting SQL Server Connector issues, see [SQL Server Connector Maintenance & Troubleshooting](../../../relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md).
 > - Starting with version 1.0.3.0, the SQL Server Connector reports relevant error messages to the Windows event logs for troubleshooting.
 > - Starting with [1.0.4.0: (version 13.0.811.168)](https://download.microsoft.com/download/8/0/9/809494f2-bac9-4388-ad07-7eaf9745d77b/SQL%20Server%20Connector%20for%20Microsoft%20Azure%20Key%20Vault%201.0.4.0.msi), there is support for private Azure clouds, including Azure operated by 21Vianet, Azure Germany, and Azure Government.
 > - There is a breaking change in version 1.0.5.0 in terms of the thumbprint algorithm. You may experience database restore failures after upgrading to 1.0.5.0. For more information, see [Error 33111 when restoring backups from older versions of SQL Server Connector for Microsoft Azure Key Vault](/troubleshoot/sql/database-engine/backup-restore/error-33111-restore-issues-sql-connector).
-> - **Starting with version [1.0.5.0 (with a file date of September 2020)](https://www.microsoft.com/en-us/download/details.aspx?id=45344), the SQL Server Connector supports filtering messages and network request retry logic.**
+> - Starting with version [1.0.5.0 (with a file date of September 2020)](https://www.microsoft.com/en-us/download/details.aspx?id=45344), the SQL Server Connector supports filtering messages and network request retry logic.
+> - Starting with version [1.0.5.0 (with a file date of November 2024)](https://www.microsoft.com/en-us/download/details.aspx?id=45344) and SQL Server 2022 CU17 and later versions., the SQL Server Connector supports authentication with Azure Key Vault using managed identity for SQL Server on Azure Virtual Machines.
 > - *The old version of the SQL Server Connector is also version: [1.0.5.0 (version 15.0.300.96) – File date January 2018](https://download.microsoft.com/download/8/0/9/809494f2-bac9-4388-ad07-7eaf9745d77b/1033_15.0.2000.367/SQLServerConnectorforMicrosoftAzureKeyVault.msi)*. Upgrade to the newest SQL Server Connector if you experience any issues.
 
 **System Requirements** - Supported SQL Server versions:
 
+- SQL Server 2022 RTM Enterprise or Standard 64-bit
 - SQL Server 2019 RTM Enterprise or Standard 64-bit
 - SQL Server 2017 RTM Enterprise 64-bit
 - SQL Server 2016 RTM Enterprise 64-bit