SQL Server 2005 has been pretty safe from a security vulnerability perspective, at least from what we've been aware of. During the first few years of it's release cycle, there were no issues reported from a security perspective. This is in contrast to SQL Server 2000, which had quite a few issues. There was a time when development on SQL Server 2005 was suspended so that everyone could work on ensuring SQL Server 2000 was patched.
Last week Microsoft admitted there's an issue in SQL Server, which affects v2000 and v2005, but not v2008. That's good in that the issue is patched in the new version, but it's a little disconcerting that so many instances that are already in use out there are vulnerable to the issue.
However I was more concerned when I saw this note that Microsoft has been working on a patch since April. As of right now, that's 8 months. And the researcher who finally disclosed the issue notes he hasn't heard from Microsoft since late September.
Two things: first, is there a patch done or not? Second, why has this taken so long?
I'm sorry, but I can't believe that it really took Microsoft, as a collective, 8 months, or even 6 months to figure this out. I bet if the researcher had disclosed this in July or August that we'd have a patch done. There are a lot of very, very good developers at Microsoft, they've had a lot of training in writing secure code and in working with SQL Server and I'd like to believe that they (Microsoft) could have patched this inside a month or two if enough resources were put on it.
However in the time between April and August, most resources were devoted to SQL Server 2008, putting out another version of the product that can generate revenue, not working on SP3 or a patch that covers a security issue. I suspect this was a business decision, but I have no evidence to that effect and it's strictly my suspicion.
It's always a balance between the need to support older versions and the desire to build new ones people wil buy. But security issues are different than patches, and there should be more priority put on them. It's not OK, in my opinion, to put less resources on security issues because you don't want to delay a release. We purchased the last version of your software because you implied it was properly built. When you discover it isn't, you should react quickly, and with plenty of resources to patch it within 60 days, if not 30. Or at least give us a workaround.
This type of story, to me, highlights the reason why we should have some regulation around disclosure and work. I'd like to see vendors given 30 days notice, no more, and then the issue publicized. We could limit it to products that have some xx% fo the market, say 5%, so as not to overly burden small companies, but for any large platforms, Windows, SQL Server, Oracle, OS X, DB2, OS/400, etc., vendors should feel pressure to patch old versions.
Or release them as open source. I'd accept that in place of them having to patch them.
Steve Jones
Steve's Pick of the Week
More laptops were shipped in 2008 Q3 than desktops. Any of you think you'll ever get another desktop at work?
The Voice of the DBA Podcasts
The podcast feeds are now available at sqlservercentral.podshow.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.
or now on iTunes!
- Windows Media Podcast - 39.8MB WMV
- iPod Video Podcast - 31.9MB MP4
- MP3 Audio Podcast - 6.5MB
Today's podcast features music by Incompetech. Kevin Macleod has some great compositions in all genres of music. Check him out at www.incompetech.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.