Added

• Add Enhanced Routing Support for Hyperscale Reader Endpoints #2935
  What was added: Implemented TDS FEATUREEXT 0x0F negotiation and ENVCHANGE 0x21 parsing to support Hyperscale reader endpoints that load balance connections across named replicas, including routed database name propagation in Login7.
  Who benefits: Applications connecting to Azure SQL Hyperscale databases using reader endpoints for read scale-out.
  Impact: Enables automatic connection routing to named replicas with correct database context, while maintaining backward compatibility with servers that do not support enhanced routing.

• Add Support for JDK 26 #2939
  What was added: New jre26 build profile for both Maven and Gradle, with updated compiler settings and test dependencies.
  Who benefits: Applications running on JDK 26.
  Impact: Enables building and testing the driver on JDK 26 without changing runtime behavior.

• Add defaultTransactionIsolation Connection Property #2918
  What was added: New defaultTransactionIsolation connection property allowing users to specify the initial transaction isolation level via JDBC URL or SQLServerDataSource, with automatic execution of SET TRANSACTION ISOLATION LEVEL upon connection establishment.
  Who benefits: Applications requiring a specific isolation level at connection time, especially in connection pool and third-party tool environments.
  Impact: Simplifies configuration of isolation levels without requiring application code changes.

• Add Defense-in-Depth XML Secure Processing to SAXSource and StAXSource Paths #2915
  What was added: Enabled FEATURE_SECURE_PROCESSING and DTD/external entity protections on SAXSource and StAXSource parser paths in SQLServerSQLXML, matching existing DOMSource hardening.
  Who benefits: All users of the SQLXML API.
  Impact: Uniformly hardens all three XML parser paths as defense-in-depth, complementing SQL Server's storage-layer DTD rejection.

• Add XA State Machine Test with Randomized Transaction Testing #2923
  What was added: State-machine based randomized test coverage for XA transaction flows.
  Who benefits: Driver maintainers and CI stability efforts.
  Impact: Improves edge-case detection for XA transaction scenarios with reproducible failures.

• [Retire FX] Port Functional Test Scenarios for TVP #2901
  What was added: Migrated legacy FX functional test scenarios for Table-Valued Parameters into JUnit 5.
  Who benefits: Contributors and CI validation pipelines.
  Impact: Advances FX test retirement with full behavioral parity.

• Port FX ResultSet Tests to State-Machine Based JUnit 5 Tests #2912
  What was added: Migrated FX ResultSet regression tests to state-machine based JUnit 5 tests.
  Who benefits: Contributors and CI validation pipelines.
  Impact: Improves test reproducibility and edge-case detection for ResultSet operations.

• Port FX Statement Execution Scenarios to State-Machine Based Tests #2908
  What was added: Migrated FX statement execution scenarios to state-machine based JUnit 5 tests.
  Who benefits: Contributors and CI validation pipelines.
  Impact: Completes state-machine coverage for statement execution paths.

• Port Functional Test Scenarios for Sparse Columns to JUnit #2922
  What was added: Migrated legacy FX sparse column test scenarios into JUnit 5.
  Who benefits: Contributors and CI validation pipelines.
  Impact: Extends FX test retirement coverage to sparse column scenarios.

• [Retire FX] Port Functional Test Scenarios for Globalization #2924
  What was added: Migrated legacy FX globalization test scenarios into JUnit 5.
  Who benefits: Contributors and CI validation pipelines.
  Impact: Extends FX test retirement coverage to globalization scenarios.

Changed

• Deprecate microsoft.sql.DateTimeOffset in Favor of java.time.OffsetDateTime #2920
  What was changed: Deprecated the proprietary microsoft.sql.DateTimeOffset type and added new getOffsetDateTime(), setOffsetDateTime(), and updateOffsetDateTime() methods to promote java.time.OffsetDateTime (JSR-310) as the canonical Java mapping for SQL Server datetimeoffset columns.
  Who benefits: Applications seeking standards-based, vendor-neutral date/time handling.
  Impact: Improves portability and ORM/middleware interoperability while preserving full backward compatibility with existing DateTimeOffset APIs.

• Improve Class Validation in Util.newInstance() by Deferring Initialization #2914
  What was changed: Updated Util.newInstance() to use Class.forName(className, false, classLoader) to defer class initialization until after isAssignableFrom() validation completes, with a classloader fallback strategy.
  Who benefits: Applications using connection properties such as trustManagerClass, socketFactoryClass, and accessTokenCallbackClass.
  Impact: Strengthens validation of user-supplied class names by ensuring type checks occur before any static initialization side effects.

Fixed

• Fix Integer Overflow When Reading PLP Chunk Sizes from TDS Stream #2916
  What was fixed: Prevented CWE-190 integer overflow in readBytesInternal() when casting unsigned 32-bit PLP chunk sizes from long to int.
  Who benefits: Applications processing large PLP data streams.
  Impact: Ensures safe handling of chunk sizes exceeding Integer.MAX_VALUE in the TDS stream reader.

• Fix Socket Hang When socketTimeout Not Set During Federated Auth Login #2927
  What was fixed: Corrected pre-connection socket timeout computation so that loginTimeout properly bounds socket I/O when socketTimeout defaults to 0 (unlimited).
  Who benefits: Applications using federated authentication (Managed Identity, Azure AD) without an explicit socketTimeout.
  Impact: Resolves indefinite connection hangs during federated auth login while preserving post-login unlimited socket timeout semantics.

• Fix User Agent String in Case of an Exception #2926
  What was fixed: User agent string fields are now populated with "Unknown" when an exception occurs during collection, preventing malformed telemetry data.
  Who benefits: All users of the driver's user agent telemetry feature.
  Impact: Ensures robust user agent string generation regardless of runtime environment errors.

• Fix getIndexInfo() Returning ORDINAL_POSITION=0 for INCLUDE Columns #2943
  What was fixed: Narrowed the supplemental columnstore index query to restrict results to columnstore index types only (i.type IN (5, 6)) and replaced ic.key_ordinal with ic.index_column_id for correct 1-based ordinal positions.
  Who benefits: Applications querying index metadata on tables with INCLUDE columns or columnstore indexes.
  Impact: Eliminates JDBC specification violations (ORDINAL_POSITION=0) and prevents downstream IndexOutOfBoundsException errors.

• Fix Flaky Randomized Statement Test #2930
  What was fixed: Aligned getGeneratedKeys() with the FX framework pattern in randomized Statement tests.
  Who benefits: Contributors and CI pipelines.
  Impact: Improves test stability without affecting runtime behavior.

• Fix XA Test Timeout Issue in testXAWithIsolationLevels #2933
  What was fixed: Resolved timeout issue in XA isolation level tests.
  Who benefits: Contributors and CI pipelines.
  Impact: Improves test reliability without affecting runtime behavior.

• Add legacyFxXa Tag in Exclude Group for build.gradle #2937
  What was fixed: Added the legacyFxXa test tag to the Gradle exclude group to prevent test execution conflicts.
  Who benefits: Contributors running tests via Gradle.
  Impact: Ensures correct test filtering in the Gradle build.

[13.4.0] Stable Release

Added

• Add Test Coverage for Mixed-Type Vector Columns (FLOAT32 and FLOAT16) 2907
  What was added: Expanded the vector test suite to validate scenarios where VECTOR(FLOAT32) and VECTOR(FLOAT16) columns coexist in the same schema, including coverage for JDBC operations and bulk copy workflows.
  Who benefits: Developers building vector-based workloads that mix float32 and float16 vector columns within the same database schema.
  Impact: Ensures reliable driver behavior and compatibility for mixed vector types across CRUD operations, bulk copy, metadata, and advanced database objects such as stored procedures and TVPs.

Added

• Add VECTOR(FLOAT16) Subtype Support #2899
  What was added: Introduced support for the VECTOR(FLOAT16) subtype, including feature negotiation and IEEE-754 compliant serialization/deserialization between Java Float[] and half-precision wire format.
  Who benefits: Applications building AI, embeddings, and vector search workloads that require reduced memory footprint and network payload.
  Impact: Enables efficient float16 vector storage and transmission while preserving backward compatibility and the existing Java programming model.

• Add prepareMethod=none Execution Path#2890
  What was added: New prepareMethod=none option that forces literal parameter substitution with SQL batch execution, bypassing server-side prepared statement handles (sp_prepexec / sp_prepare).
  Who benefits: Applications preferring SQL Server–managed plan caching without driver-managed prepared handle reuse.
  Impact: Executes prepared statements as plain SQL batches, maintaining connection-level temp tables and providing a simplified alternative execution model while leaving the default behavior unchanged.

• Statement-Level Performance Logger Metrics#2885
  What was added: Extended Performance Logger to capture detailed execution metrics for Statement and PreparedStatement (REQUEST_BUILD, FIRST_SERVER_RESPONSE, PREPARE, PREPEXEC, EXECUTE).
  Who benefits: Developers and performance engineers analyzing execution timing and driver behavior.
  Impact: Provides granular observability across all statement execution paths with minimal overhead.

• StateMachineTest Framework for JUnit 5#2887
  What was added: Lightweight, seed-reproducible state-machine testing framework for randomized JDBC state exploration.
  Who benefits: Driver maintainers and CI stability efforts.
  Impact: Improves edge-case detection with reproducible failures without third-party dependencies.

• Add AI-Assisted Development Context Files#2882
  What was added: ARCHITECTURE.md, GLOSSARY.md, and PATTERNS.md to guide AI-assisted development.
  Who benefits: Contributors using AI coding assistants.
  Impact: Improves code consistency and productivity by documenting architecture and established design patterns.

• Enhance Code Coverage (CallableStatement, DatabaseMetaData, PreparedStatement)#2875
  What was added: Expanded unit and integration test coverage for key driver components including SQLServerCallableStatement, SQLServerDatabaseMetaData, and SQLServerPreparedStatement.
  Who benefits: Driver maintainers and users relying on stable metadata, statement execution, and callable behavior.
  Impact: Improves regression detection and long-term stability.

• New Bug Regression Tests in JUnit#2888
  What was added: Migrated legacy FX regression tests (37 scenarios) covering statement execution, ResultSet behavior, batching, cursors, and transaction flows into JUnit with full behavioral parity.
  Who benefits: Contributors and CI validation pipelines.
  Impact: Achieves complete FX regression coverage with reproducible execution paths and improved long-term reliability.

Changed

• Remove ADAL Dependency – Migrate Windows AAD Integrated Auth to MSQA APIs#2864
  What was changed: Replaced deprecated ADAL-based adalsql.dll flow with MSQA (mssql-auth.dll, MSAL C++).
  Who benefits: Users of Windows Active Directory Integrated Authentication.
  Impact: Fully removes legacy ADAL dependency, aligns with Microsoft deprecation guidance, and modernizes authentication architecture.

• Refactor DatabaseMetaData.getColumns() to use sp_columns_170 with fallback#2883
  What was changed: getColumns() now prefers sp_columns_170 (SQL Server 2025) for accurate metadata on newer types such as VECTOR and enhanced JSON, with automatic fallback to sp_columns_100.
  Who benefits: Applications performing schema discovery against SQL Server 2025 and Azure environments.
  Impact: Ensures correct metadata for new engine features while preserving backward compatibility with older SQL Server versions.

• Version Bumps to Address CVEs in Transitive Dependencies#2894
  What was changed: Upgraded azure-identity to 1.18.2 and msal4j to 1.23.1, which in turn update transitive dependencies including Netty (4.1.130.Final), Reactor Netty (1.2.13), and Nimbus JOSE JWT (10.0.1).
  Who benefits: Applications using Azure Active Directory authentication and Azure Identity–based connection flows.
  Impact: Resolves security vulnerabilities in transitive dependencies, including CVE-2025-67735, CVE-2025-53864, CVE-2025-58056, CVE-2025-58057, CVE-2025-55163, CVE-2025-24970, CVE-2025-22227, and CVE-2025-25193, with no breaking API changes.

Fixed

• Fix Cross-Database Stored Procedure Execution with Named Parameters#2895
  What was fixed: Ensured sp_sproc_columns is fully qualified with database.sys to avoid context errors.
  Who benefits: Applications calling procedures across databases with named parameters.
  Impact: Resolves metadata lookup failures and eliminates schema name-squatting security risks.

• Exception Chaining for Nested Stored Procedure Errors#2886
  What was fixed: Multiple nested RAISERROR calls now surface correctly via SQLException.getNextException.
  Who benefits: Applications invoking nested stored procedures.
  Impact: Aligns driver behavior with SQL Server semantics while preserving backward compatibility through lazy exception chaining.

• Remove Outdated Regex Delimiter Comment (Bulk CSV)#2880
  What was fixed: Updated comment to clarify delimiters are treated as literal text in SQLServerBulkCSVFileRecord.
  Who benefits: Users of bulk CSV ingestion.
  Impact: Aligns documentation with actual driver behavior.

Added

• Introduce prepareMethod=scopeTempTablesToConnection for PreparedStatements with temp tables #2844
  What was added: New prepareMethod option that scopes temporary tables created in prepared statements to the connection by using literal parameter substitution instead of server-side prepared handles.
  Who benefits: Developers using temporary tables (#temp) inside PreparedStatement executions.
  Impact: Ensures temporary tables remain visible across executions of different prepared statements/statements within the same connection.

• Send User Agent Information via TDS Feature Extension #2848
  What was added: User agent telemetry is sent to SQL Server using a new LOGIN7 TDS Feature Extension (USERAGENT).
  Who benefits: Platform owners and maintainers analyzing driver usage patterns and runtime environments.
  Impact: Improves telemetry accuracy and enables data-driven testing and support decisions without affecting application behavior.

• Enable Vector and JSON Tests on SQL Server 2025 #2846
  What was added: Test coverage for vector and JSON features on SQL Server 2025 with a new xSQLv17 test tag.
  Who benefits: Contributors validating driver compatibility with the latest SQL Server release.
  Impact: More testing coverage increases confidence in SQL Server 2025 vector and JSON functionality.

• Enhance Code Coverage for SQLServerResultSet #2870
  What was added: Expanded unit test coverage for SQLServerResultSet.
  Who benefits: Driver maintainers and contributors.
  Impact: Improves long-term stability and regression detection.

Changed

• Update bundle-version in Manifest to Include JRE Suffix #2876
  What changed: Bundle-Version in the manifest now includes the jre8 / jre11 suffix to match the JAR file name.
  Who benefits: Users and tooling relying on OSGi metadata consistency.
  Impact: Aligns manifest metadata with published artifacts and avoids ambiguity.

Fixed

• SQL Server Integrity Enhancement Support in supportsIntegrityEnhancementFacility #2745
  What was fixed: Corrected metadata reporting to reflect SQL Server’s support for integrity constraints.
  Who benefits: Applications relying on JDBC metadata to determine database capabilities.
  Impact: Ensures accurate reporting of primary key, foreign key, check, unique, and NOT NULL constraint support.

• Fix Geography Coordinate Parsing with Scientific Notation #2837
  What was fixed: Prevented NumberFormatException when parsing Geography coordinates expressed in scientific notation.
  Who benefits: Applications working with very small spatial coordinate values.
  Impact: Enables correct handling of negative exponents in WKT parsing.

• Bulk Copy Batch Insert: Proper Fallback for SQL Functions #2845
  What was fixed: Automatic fallback to standard batch execution when SQL functions are used in bulk copy batch inserts.
  Who benefits: Users executing PreparedStatement.executeBatch() with expressions like len(?) or encryption functions.
  Impact: Prevents bulk copy failures while preserving performance for compatible statements.

• Fix Bulk Copy Batch Insert with Persisted Computed Columns #2855
  What was fixed: Corrected destination column validation logic to ignore computed persisted columns in bulk copy batch insert.
  Who benefits: Users performing bulk inserts into tables with computed columns.
  Impact: Prevents false “invalid column mapping” errors and restores bulk copy compatibility.

• Fix DatabaseMetaData.getIndexInfo() Collation Conflict in UNION ALL #2867
  What was fixed: Resolved collation conflicts when server and database collations differ in the query executed by getIndexInfo call.
  Who benefits: Applications querying index metadata in mixed-collation environments.
  Impact: Ensures reliable metadata retrieval by applying COLLATE DATABASE_DEFAULT consistently.

• Fix getSchemas() Returning NULL TABLE_CATALOG for Built-in Schemas #2872
  What was fixed: Corrected catalog resolution logic for built-in schemas like dbo, sys etc.
  Who benefits: Applications consuming schema metadata.
  Impact: Ensures JDBC-compliant catalog reporting for all schemas.

• Fix Statement.execute() Skipping Update Count After Batch Error #2866
  What was fixed: Prevented loss of valid update counts following an error in mixed batch execution.
  Who benefits: Applications using Statement.execute() with mixed DML and query batches.
  Impact: Restores correct JDBC result traversal semantics after exceptions.

• Support IP Address Validation in Certificate SAN #2873
  What was fixed: Added RFC 5280–compliant IP address validation in SSL certificate SAN checks.
  Who benefits: Users connecting via IP address over TLS.
  Impact: Removes need for hostname workarounds while preserving strict security guarantees.

• Fix TVP Type Name Collision in CallableStatement Tests #2869
  What was fixed: Eliminated test failures caused by table-valued parameter type name collisions.
  Who benefits: Contributors and CI pipelines.
  Impact: Improves test reliability without affecting runtime behavior.

Added

• Performance logger and callback handling mechanism #2706
  What was added: Introduced performance logging framework to track critical driver operations such as connection time, prelogin, login, and token acquisition.
  Who benefits: Developers and operators monitoring JDBC driver performance.
  Impact: Enables visibility into driver-level latencies via com.microsoft.sqlserver.jdbc.PerformanceMetrics.Connection logger and extensible callback infrastructure for future metrics.

• Test enhancements #2712
  What changed: Improved unit test coverage for SQLServerConnectionTest, SQLServerDatabaseMetaData and few more classes.
  Who benefits: Contributors and maintainers.
  Impact: Improves code coverage with junit tests.

Changed

• Java 25 (LTS) support and removal of non-LTS versions 22–24 #2821
  What changed: Added official support for Java 25 (LTS) and removed non-LTS Java versions (22–24) from Maven and Gradle build configurations.
  Who benefits: Developers aligning builds with long-term supported Java versions.
  Impact: Ensures continued compatibility and stability with LTS Java releases; simplifies build maintenance.

Fixed

• Bulk insert parsing of isolated quotes in tab-delimited data #2795
  What was fixed: Resolved IndexOutOfBoundsException caused by incorrect quote state handling during tab-delimited bulk copy operations.
  Who benefits: Users performing bulk inserts from tab-delimited data containing isolated quotes.
  Impact: Ensures isolated quotes are treated as literal characters; improves parsing reliability and consistency.

• PreparedStatement INSERT update Count with triggers and multi-Value inserts #2817
  What was fixed: Corrected inaccurate update counts returned by PreparedStatement for multi-value INSERT statements with triggers.
  Who benefits: Developers relying on accurate update counts in batch or trigger-based inserts.
  Impact: Ensures consistent and accurate update count behavior across all INSERT execution scenarios.

• Fix for fatal error handling in DONE tokens #2741
  What was fixed: Corrected TDS message handling to properly detect and propagate fatal severity (25+) errors.
  Who benefits: Applications needing reliable error propagation during critical SQL Server failures.
  Impact: Prevents silent failures and ensures robust TDS stream recovery during fatal error conditions.

• Fix for getParameterMetaData() crash with table-valued parameters #2746
  What was fixed: Prevented SQLServerException when calling getParameterMetaData() on statements using Table-Valued Parameters (TVPs).
  Who benefits: Developers using structured or table-valued parameters.
  Impact: Restores correct metadata extraction for TVP parameters, ensuring full JDBC metadata compatibility.

• supportsIntegrityEnhancementFacility() returns accurate value #2828
  What was fixed: Corrected DatabaseMetaData.supportsIntegrityEnhancementFacility() to return true for SQL Server.
  Who benefits: Applications querying database metadata for integrity constraint support.
  Impact: Accurately reports SQL Server’s full support for primary, foreign key, and check constraints.

• Fix bulk copy for batch insert to support InputStream data #2826
  What was fixed: Enabled setBinaryStream() to work correctly with Bulk Copy for Batch Insert into VARBINARY(MAX) columns.
  Who benefits: Developers inserting large binary data via streams.
  Impact: Prevents “invalid hex format” errors; ensures InputStream-based binary inserts work seamlessly.

• Addressed failure on Azure Synapse serverless SQL pool caused by the unsupported sp_statistics procedure #2839
  What changed: Added a try–catch fallback in getIndexInfoAzureDW() to query sys.indexes, sys.index_columns, sys.columns, and sys.tables when sp_statistics is unavailable.
  Who benefits: Applications retrieving index metadata from Azure Synapse serverless SQL pool or other environments lacking sp_statistics.
  Impact: Ensures reliable metadata retrieval through a sys.indexes fallback, consistent NON_UNIQUE mapping, and aligned behavior with Azure SQL Database.

• Test cleanup #2734
  What changed: Updated tests to clean up temporary objects post-execution.
  Who benefits: Contributors and maintainers.
  Impact: Reduces test flakiness and improves maintainability of the test suite.

Added

• Enable Vector data type tests on Azure SQL Database #2762
  What was added: Vector data type tests are now enabled to run against Azure SQL Database.
  Who benefits: Developers testing VECTOR functionality in Azure SQL DB environments.
  Impact: Ensures VECTOR data type support test coverage.

• Enable JSON data type tests on Azure SQL Database #2756
  What was added: JSON data type tests are now enabled to run against Azure SQL Database.
  Who benefits: Developers testing JSON functionality in Azure SQL DB environments.
  Impact: Ensures JSON data type support test coverage.

Changed

• Revert function/procedure filtering via sys.all_objects #2751
  What changed: Reverted #2705 change that used sys.all_objects for filtering. Restores previous behavior to maintain consistency across metadata APIs.
  Who benefits: Developers using getProcedures() and getFunctions() in JDBC.
  Impact: Preserves compatibility with numbered procedures and avoids discrepancies between APIs.

Fixed issues

• Address a hostname validation vulnerability by securely parsing certificate common names. #2801
  What was fixed: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
  Who benefits: All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.
  Impact: This fix closes a security gap, protecting applications from man-in-the-middle attacks and ensuring compliance with security best practices.

• JDK 8 compatibility for vector datatype handling #2750
  What was fixed: Ensured fallback to JVM system property javax.net.ssl.trustStoreType if connection property is unset.
  Who benefits: Users configuring SSL via system properties.
  Impact: Enables proper SSL trust store resolution, improving compatibility with system configurations.

• PreparedStatement getGeneratedKeys() failure with triggers #2742
  What was fixed: Fixed error "The statement must be executed before any results can be obtained" when using insert triggers with generated keys.
  Who benefits: Developers retrieving generated keys from inserts with triggers.
  Impact: Restores correct behavior for both update count accuracy and generated keys retrieval in trigger scenarios.

• Byte Buddy dependency scope #2755
  What was fixed: Corrected Byte Buddy (1.15.11) dependency scope to test instead of compile.
  Who benefits: Developers and users of runtime artifacts.
  Impact: Reduces runtime artifact size (~8 MB) and ensures Byte Buddy is only included for unit tests.

• DatabaseMetaData.getIndexInfo() NON_UNIQUE value inconsistency #2773
  What was fixed: Fixed incorrect NON_UNIQUE values due to mismatched handling of sp_statistics and sys.indexes.
  Who benefits: Applications depending on accurate index metadata.
  Impact: Provides consistent value of NON_UNIQUE field across SQL Server and Azure Synapse Analytics.

• DatabaseMetaData.getIndexInfo() invalid cursor position exception 2763
  What was fixed: Fixed SQLException: Invalid cursor position caused when calling ResultSet.next() after exhaustion due to CachedRowSet strict cursor validation.
  Who benefits: Developers consuming metadata via DatabaseMetaData.getIndexInfo() on SQL Server or Azure Synapse DW.
  Impact: Replaces CachedRowSet merging with a UNION ALL query, ensuring standard JDBC cursor behavior while maintaining columnstore index support.

Fixed issues

• Address a hostname validation vulnerability by securely parsing certificate common names. #2803
  What was fixed: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
  Who benefits: All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.

Fixed issues

• Address a hostname validation vulnerability by securely parsing certificate common names. #2804
  What was fixed: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
  Who benefits: All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.

Fixed issues

• Address a hostname validation vulnerability by securely parsing certificate common names. #2805
  What was fixed: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
  Who benefits: All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.

Fixed issues

• Address a hostname validation vulnerability by securely parsing certificate common names. #2806
  What was fixed: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
  Who benefits: All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.