Joe Webb Blog

Musing and observations about SQL Server, other technogies, and sometimes just life in general

SQL Server Security Vulnerabilities

At the 2007 PASS Community Summit in Denver, a keynote speaker made a passing comment about how there has not been a security bulletin released for SQL Server in over three years! I forget which speaker made the statement, but I found it utterly amazing. Not a single security bulletin released in over three years! Could this be true?

If you've worked with SQL Server for a while, you'll undoubtedly remember SQL Slammer, the worm that hit thousands of SQL Servers around the world in 2003. It's effects were nothing short of devastating for many companies.

I made a mental note to do my own research into what the speaker stated as fact; but promptly forgot about it while sitting in session after session, soaking in as much good technical content as my brain could absorb.

In a recent blog posting however, Jeff Jones did the research that I forgot to do. His posting, entitled SQL Server - Fact Checking Recent Vulnerability History, details the most recent security bulletins released for Microsoft SQL Server.

Jeff found that SQL Server 2000 hasn't had a security bulletin released since January of 2004, and even more amazingly, SQL Server 2005 has never had a security bulletin released! He goes further in his research, though, and compares these figures to the numerous security-related critical patch updates for Oracle.

It's an interesting read that I thought you may like to see. Check it out.



kick it on

Legacy Comments

re: SQL Server Security Vulnerabilities
Don't the GDRs contain security hotfixes in them besides just normal bug fixes?

Joe Webb
re: SQL Server Security Vulnerabilities
Here are a couple of links to pages that describe what's in SQL Server 2000 SP4 and SQL Server 2005 SP2.

I didn't notice anything security related in there during my cursory scan of the issues, but there may be. The one that I did notice in SS2000 SP4 was from July 2003.

If so, I'm guessing that they were not considered elevated enough to warrant a bulletin.


re: SQL Server Security Vulnerabilities
I was referring to the cumulative update packages after SQL Server 2005 sp2. There are now 7 of them.

re: SQL Server Security Vulnerabilities

While GDRs and cumulative updates *can* contain security fixes, I scanned through all 7 cumulative updates for 2005 SP2 and did not find a single fix or issue involving security, except for this one in CU4:

You cannot configure the security settings for database dimensions when the database name is the same as the cube name.

So unless you believe they are keeping all security-related issues a secret, I think Joe is correct.

Research and Analysis
re: SQL Server Security Vulnerabilities
I am very thank you to share this article, it’s very good, I hope you can share more, and I will continue to read, thanks

carry mulberry bag shoulder
re: SQL Server Security Vulnerabilities
With the availability of a huge selection of Mulberry handbag, it is possible to effortlessly obtain the top Mulberry handbag that may well match your outfit and your individuality being an entire.