SQL Server Security Vulnerabilities

Tue Apr 15, 2008 by Joe Webb in other-technologies, sql-server, current-events

At the 2007 PASS Community Summit in Denver, a keynote speaker made a passing comment about how there has not been a security bulletin released for SQL Server in over three years! I forget which speaker made the statement, but I found it utterly amazing. Not a single security bulletin released in over three years! Could this be true?

If you've worked with SQL Server for a while, you'll undoubtedly remember SQL Slammer, the worm that hit thousands of SQL Servers around the world in 2003. It's effects were nothing short of devastating for many companies.

I made a mental note to do my own research into what the speaker stated as fact; but promptly forgot about it while sitting in session after session, soaking in as much good technical content as my brain could absorb.

In a recent blog posting however, Jeff Jones did the research that I forgot to do. His posting, entitled SQL Server - Fact Checking Recent Vulnerability History, details the most recent security bulletins released for Microsoft SQL Server.

Jeff found that SQL Server 2000 hasn't had a security bulletin released since January of 2004, and even more amazingly, SQL Server 2005 has never had a security bulletin released! He goes further in his research, though, and compares these figures to the numerous security-related critical patch updates for Oracle.

It's an interesting read that I thought you may like to see. Check it out.

Cheers!

Joe

Legacy Comments


Tara 2008-04-16	re: SQL Server Security Vulnerabilities Don't the GDRs contain security hotfixes in them besides just normal bug fixes?

Joe Webb 2008-04-17	re: SQL Server Security Vulnerabilities Here are a couple of links to pages that describe what's in SQL Server 2000 SP4 and SQL Server 2005 SP2. I didn't notice anything security related in there during my cursory scan of the issues, but there may be. The one that I did notice in SS2000 SP4 was from July 2003. http://support.microsoft.com/kb/888799 http://support.microsoft.com/kb/921896 If so, I'm guessing that they were not considered elevated enough to warrant a bulletin. Joe

Tara 2008-04-18	re: SQL Server Security Vulnerabilities I was referring to the cumulative update packages after SQL Server 2005 sp2. There are now 7 of them.

Aaron 2008-04-28	re: SQL Server Security Vulnerabilities Tara, While GDRs and cumulative updates can contain security fixes, I scanned through all 7 cumulative updates for 2005 SP2 and did not find a single fix or issue involving security, except for this one in CU4: 50001782 You cannot configure the security settings for database dimensions when the database name is the same as the cube name. So unless you believe they are keeping all security-related issues a secret, I think Joe is correct.

Alvaro Lozada 2008-08-14	re: SQL Server Security Vulnerabilities Take a look to thi URL http://securityvulns.com/news/Microsoft/SQL/0807.html

furry boots 2010-10-19	re: SQL Server Security Vulnerabilities Jeff found that SQL Server 2000 hasn't had a security bulletin released since January of 2004, and even more amazingly, SQL Server 2005 has never had a security bulletin released! He goes further in his research, though, and compares these figures to the numerous security-related critical patch updates for Oracle. snow boots \| snow boots for women \| columbia sportswear \| columbia sportswear outlet \| cheap north face jackets \| the north face outlet \| mac makeup \| cheap makeup

hanly 2010-10-26	re: SQL Server Security Vulnerabilities This super video converter for mac is developed by Emicsoft Studio, it is currently the best video converter running under Mac os x, comparied by isqunite, Visualhub and other Video Converter for Mac Free vide under simple video editing function embedded, support TRIM, CUT, CR

Research and Analysis 2011-05-13	re: SQL Server Security Vulnerabilities I am very thank you to share this article, it’s very good, I hope you can share more, and I will continue to read, thanks

carry mulberry bag shoulder 2011-09-06	re: SQL Server Security Vulnerabilities With the availability of a huge selection of Mulberry handbag, it is possible to effortlessly obtain the top Mulberry handbag that may well match your outfit and your individuality being an entire.