Joe Webb Blog

Musing and observations about SQL Server, other technogies, and sometimes just life in general

SQL Server Security Vulnerabilities

At the 2007 PASS Community Summit in Denver, a keynote speaker made a passing comment about how there has not been a security bulletin released for SQL Server in over three years! I forget which speaker made the statement, but I found it utterly amazing. Not a single security bulletin released in over three years! Could this be true?

If you've worked with SQL Server for a while, you'll undoubtedly remember SQL Slammer, the worm that hit thousands of SQL Servers around the world in 2003. It's effects were nothing short of devastating for many companies.

I made a mental note to do my own research into what the speaker stated as fact; but promptly forgot about it while sitting in session after session, soaking in as much good technical content as my brain could absorb.

In a recent blog posting however, Jeff Jones did the research that I forgot to do. His posting, entitled SQL Server - Fact Checking Recent Vulnerability History, details the most recent security bulletins released for Microsoft SQL Server.

Jeff found that SQL Server 2000 hasn't had a security bulletin released since January of 2004, and even more amazingly, SQL Server 2005 has never had a security bulletin released! He goes further in his research, though, and compares these figures to the numerous security-related critical patch updates for Oracle.

It's an interesting read that I thought you may like to see. Check it out.

Cheers!

Joe

kick it on DotNetKicks.com

Legacy Comments


Tara
2008-04-16
re: SQL Server Security Vulnerabilities
Don't the GDRs contain security hotfixes in them besides just normal bug fixes?

Joe Webb
2008-04-17
re: SQL Server Security Vulnerabilities
Here are a couple of links to pages that describe what's in SQL Server 2000 SP4 and SQL Server 2005 SP2.

I didn't notice anything security related in there during my cursory scan of the issues, but there may be. The one that I did notice in SS2000 SP4 was from July 2003.

http://support.microsoft.com/kb/888799
http://support.microsoft.com/kb/921896

If so, I'm guessing that they were not considered elevated enough to warrant a bulletin.

Joe

Tara
2008-04-18
re: SQL Server Security Vulnerabilities
I was referring to the cumulative update packages after SQL Server 2005 sp2. There are now 7 of them.

Aaron
2008-04-28
re: SQL Server Security Vulnerabilities
Tara,

While GDRs and cumulative updates *can* contain security fixes, I scanned through all 7 cumulative updates for 2005 SP2 and did not find a single fix or issue involving security, except for this one in CU4:

50001782
You cannot configure the security settings for database dimensions when the database name is the same as the cube name.

So unless you believe they are keeping all security-related issues a secret, I think Joe is correct.

Research and Analysis
2011-05-13
re: SQL Server Security Vulnerabilities
I am very thank you to share this article, it’s very good, I hope you can share more, and I will continue to read, thanks

carry mulberry bag shoulder
2011-09-06
re: SQL Server Security Vulnerabilities
With the availability of a huge selection of Mulberry handbag, it is possible to effortlessly obtain the top Mulberry handbag that may well match your outfit and your individuality being an entire.