I noticed this happening on MSSQL 2005 server as well. The issue is the default length of the varchar datatype truncating the access_code hash.

This line of code found in ~/limesurvey/index.php {783}

        $query .="AND CAST(".db_table_name('saved_control').".access_code as varchar)= '".md5(auto_unescape($_SESSION['holdpass']))."'\n";

needs to be updated to contain the max-length of the MD5 hash.

This can be found here: http://php.net/manual/en/function.md5.php

It happens to be 32 characters.

Corrected line:

        $query .="AND CAST(".db_table_name('saved_control').".access_code as varchar(32))= '".md5(auto_unescape($_SESSION['holdpass']))."'\n";

Reproducability:

In a T-SQL Interpreter, try the following comparisons:

SELECT access_code, CAST(access_code as varchar) FROM [lime_saved_control]

And it becomes rather apparant.

Cheers,
Brian.