This check determines whether SQL 7.0 SP1, SP2, or SP3 sa account passwords are written in plaintext to the setup.iss and sqlstp.log\sqlspX.log files in the %windir% and %windir%\%temp% directories. The splstp.log\sqlspX.log file is also checked on SQL 2000 if domain credentials are used in starting the SQL Server services.
If Mixed Mode authentication is used while setting up the SQL Server, the sa password is saved in plaintext format in the setup.iss and sqlstp.log files file for SQL Server 7.0 SP1, SP2, and SP3. Administrators using Windows Authentication mode (which is the recommended mode) would only have credentials at risk if they chose to provide a domain credential to be used when starting the SQL Server services automatically.
Microsoft Security Bulletin MS02-035
FIX: Service Pack Installation May Save Standard Security Password in File (Q263968)
Microsoft Security Bulletin (MS00-035): Frequently Asked Questions
⌐ 2002 Microsoft Corporation. All rights reserved.