Joe Webb

Musing and observations about SQL Server, other technogies, and sometimes just life in general
posts - 85, comments - 857, trackbacks - 0

My Links

News

This blog has moved!

Click here for the new location.

Follow me on Twitter
Add to Technorati Favorites

Search this Blog
 




Archives

Post Categories

About me

SQL Server Security Vulnerabilities

At the 2007 PASS Community Summit in Denver, a keynote speaker made a passing comment about how there has not been a security bulletin released for SQL Server in over three years! I forget which speaker made the statement, but I found it utterly amazing. Not a single security bulletin released in over three years! Could this be true?

If you've worked with SQL Server for a while, you'll undoubtedly remember SQL Slammer, the worm that hit thousands of SQL Servers around the world in 2003. It's effects were nothing short of devastating for many companies.

I made a mental note to do my own research into what the speaker stated as fact; but promptly forgot about it while sitting in session after session, soaking in as much good technical content as my brain could absorb.

In a recent blog posting however, Jeff Jones did the research that I forgot to do. His posting, entitled SQL Server - Fact Checking Recent Vulnerability History, details the most recent security bulletins released for Microsoft SQL Server.

Jeff found that SQL Server 2000 hasn't had a security bulletin released since January of 2004, and even more amazingly, SQL Server 2005 has never had a security bulletin released! He goes further in his research, though, and compares these figures to the numerous security-related critical patch updates for Oracle.

It's an interesting read that I thought you may like to see. Check it out.

Cheers!

Joe

kick it on DotNetKicks.com

Print | posted on Tuesday, April 15, 2008 9:31 PM | Filed Under [ Other Technologies SQL Server Current Events ]

Feedback

Gravatar

# re: SQL Server Security Vulnerabilities

Don't the GDRs contain security hotfixes in them besides just normal bug fixes?
4/16/2008 7:07 PM | Tara
Gravatar

# re: SQL Server Security Vulnerabilities

Here are a couple of links to pages that describe what's in SQL Server 2000 SP4 and SQL Server 2005 SP2.

I didn't notice anything security related in there during my cursory scan of the issues, but there may be. The one that I did notice in SS2000 SP4 was from July 2003.

http://support.microsoft.com/kb/888799
http://support.microsoft.com/kb/921896

If so, I'm guessing that they were not considered elevated enough to warrant a bulletin.

Joe
4/17/2008 10:13 AM | Joe Webb
Gravatar

# re: SQL Server Security Vulnerabilities

I was referring to the cumulative update packages after SQL Server 2005 sp2. There are now 7 of them.
4/18/2008 12:48 AM | Tara
Gravatar

# re: SQL Server Security Vulnerabilities

Tara,

While GDRs and cumulative updates *can* contain security fixes, I scanned through all 7 cumulative updates for 2005 SP2 and did not find a single fix or issue involving security, except for this one in CU4:

50001782
You cannot configure the security settings for database dimensions when the database name is the same as the cube name.

So unless you believe they are keeping all security-related issues a secret, I think Joe is correct.
4/28/2008 10:32 AM | Aaron
Gravatar

# re: SQL Server Security Vulnerabilities

Take a look to thi URL
http://securityvulns.com/news/Microsoft/SQL/0807.html
8/14/2008 11:43 AM | Alvaro Lozada
Gravatar

# re: SQL Server Security Vulnerabilities

Jeff found that SQL Server 2000 hasn't had a security bulletin released since January of 2004, and even more amazingly, SQL Server 2005 has never had a security bulletin released! He goes further in his research, though, and compares these figures to the numerous security-related critical patch updates for Oracle.

snow boots | snow boots for women | columbia sportswear | columbia sportswear outlet | cheap north face jackets | the north face outlet | mac makeup | cheap makeup
10/19/2010 4:35 AM | furry boots
Gravatar

# re: SQL Server Security Vulnerabilities

This super video converter for mac is developed by Emicsoft Studio, it is currently the best video converter running under Mac os x, comparied by isqunite, Visualhub and other Video Converter for Mac Free vide under simple video editing function embedded, support TRIM, CUT, CR
10/26/2010 1:40 AM | hanly
Gravatar

# re: SQL Server Security Vulnerabilities

I am very thank you to share this article, it’s very good, I hope you can share more, and I will continue to read, thanks
5/13/2011 5:33 AM | Research and Analysis
Gravatar

# re: SQL Server Security Vulnerabilities

With the availability of a huge selection of Mulberry handbag, it is possible to effortlessly obtain the top Mulberry handbag that may well match your outfit and your individuality being an entire.
9/6/2011 9:33 PM | carry mulberry bag shoulder
Comments have been closed on this topic.

Powered by:
Powered By Subtext Powered By ASP.NET