diff --git a/plugins/database/mssql/mssql.go b/plugins/database/mssql/mssql.go
index 9b0a78c0ae38..62b415af8bea 100644
--- a/plugins/database/mssql/mssql.go
+++ b/plugins/database/mssql/mssql.go
@@ -387,5 +387,5 @@ END
 `
 
 const rotateRootCredentialsSQL = `
-ALTER LOGIN [%s] WITH PASSWORD = '%s' 
+ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}' 
 `
diff --git a/plugins/database/mssql/mssql_test.go b/plugins/database/mssql/mssql_test.go
index f2ad54c993e6..cea5430eedd8 100644
--- a/plugins/database/mssql/mssql_test.go
+++ b/plugins/database/mssql/mssql_test.go
@@ -95,6 +95,44 @@ func TestMSSQL_CreateUser(t *testing.T) {
 	}
 }
 
+func TestMSSQL_RotateRootCredentials(t *testing.T) {
+	if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" {
+		return
+	}
+	connURL := os.Getenv("MSSQL_URL")
+	connectionDetails := map[string]interface{}{
+		"connection_url": connURL,
+		"username":       "sa",
+		"password":       "yourStrong(!)Password",
+	}
+
+	db := new()
+
+	connProducer := db.SQLConnectionProducer
+
+	_, err := db.Init(context.Background(), connectionDetails, true)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	if !connProducer.Initialized {
+		t.Fatal("Database should be initalized")
+	}
+
+	newConf, err := db.RotateRootCredentials(context.Background(), nil)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if newConf["password"] == "yourStrong(!)Password" {
+		t.Fatal("password was not updated")
+	}
+
+	err = db.Close()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+}
+
 func TestMSSQL_RevokeUser(t *testing.T) {
 	if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" {
 		return