At the 2007 PASS Community Summit
in Denver, a keynote speaker made a passing comment about how there has not been a security bulletin released for SQL Server in over three years! I forget which speaker made the statement, but I found it utterly amazing. Not a single security bulletin released in over three years! Could this be true?
If you've worked with SQL Server for a while, you'll undoubtedly remember SQL Slammer
, the worm that hit thousands of SQL Servers
around the world in 2003. It's effects were nothing short of devastating for many companies.
I made a mental note to do my own research into what the speaker stated as fact; but promptly forgot about it while sitting in session after session, soaking in as much good technical content as my brain could absorb.
In a recent blog posting however, Jeff Jones
did the research that I forgot to do. His posting, entitled SQL Server - Fact Checking Recent Vulnerability History
, details the most recent security bulletins released for Microsoft SQL Server.
Jeff found that SQL Server 2000 hasn't had a security bulletin released since January of 2004, and even more amazingly, SQL Server 2005 has never had a security bulletin released! He goes further in his research, though, and compares these figures to the numerous security-related critical patch updates for Oracle.
It's an interesting read that I thought you may like to see. Check it out.