[londons_explore]

Remember that MS SQL server isn't Google code... Any vulnerabilities it may contain they might be powerless to fix.

Considering that, Google probably has an extensive monitoring system running in the VM, looking for things happening that shouldn't happen... And they have probably also built a filtering infrastructure between the users and the SQL server so that if any vulnerability is found, they can at least filter attempts to exploit it while a fix is being made.

[drewda]

According to the blog post, the vulnerability is not within SQL Server itself, the vulnerability is in the security layer that Google built on top of SQL Server in order to offer it as a managed service on GCP.