MSDE 2000 and SQL Server 2005 Express do not allow remote connections, so an authenticated attacker would need to initiate the attack locally to exploit the vulnerability, the company says.