November 3, 2010 at 10:39 am
GSquared (11/3/2010)
Yeah, there were (and are) problems with vendors specifying that you have to remain unpatched on supporting software like SQL Server.
Usually our reaction is to start looking for another vendor.
Too much risk, and very hard to maintain consistency in applying updates.
Greg E
November 3, 2010 at 10:45 am
Greg Edwards-268690 (11/3/2010)
GSquared (11/3/2010)
Yeah, there were (and are) problems with vendors specifying that you have to remain unpatched on supporting software like SQL Server.Usually our reaction is to start looking for another vendor.
Too much risk, and very hard to maintain consistency in applying updates.
Greg E
That is quite a bit extreme. Talk about a huge cost and man hours undertaking. Typically I see most vendors are lax at supporting the next version of SQL Server and most don't even test out CUs. Heck, we just implemented a solution this summer for polling our stores that they still only support SQL 2005.
November 3, 2010 at 2:34 pm
Markus (11/3/2010)
Greg Edwards-268690 (11/3/2010)
GSquared (11/3/2010)
Yeah, there were (and are) problems with vendors specifying that you have to remain unpatched on supporting software like SQL Server.Usually our reaction is to start looking for another vendor.
Too much risk, and very hard to maintain consistency in applying updates.
Greg E
That is quite a bit extreme. Talk about a huge cost and man hours undertaking. Typically I see most vendors are lax at supporting the next version of SQL Server and most don't even test out CUs. Heck, we just implemented a solution this summer for polling our stores that they still only support SQL 2005.
There is a big difference between RTM of a previous version, supporting SP's soon after release, and supporting current version.
So I could live with 2005, but not RTM.
Same with 2008, but not necessarily R2.
Cannot live with 2000.
And I see a difference between a vendor willing / able to resolve any issues you run into with a SP in a reasonable timeframe.
So I might not be as extreme as you imagine.
Greg E
November 3, 2010 at 2:40 pm
Sure - didn't know it at the time because it wasn't important - we weren't running MS servers at all. But I know the history.
Whether it was Slammer that opened their eyes and got them hiring folks with non-Windows OS experience into their OS team is, of course, arguable.
It's still true that MS didn't really "get" security at that point - and not long after, they did (including the fact that your customers will blame you even if you DID release the patch a year earlier). The update and notification process is certainly light years better.
Today, the problem may be recession level staffing. Management sees the servers run - and profits are thin. So like a guy with no money and bad brakes who says "car still seems to stop when I want it to"...hope for the best and refuse to imagine the worst.
Roger L Reid
November 3, 2010 at 2:49 pm
Roger L Reid (11/3/2010)
Sure - didn't know it at the time because it wasn't important - we weren't running MS servers at all. But I know the history.Whether it was Slammer that opened their eyes and got them hiring folks with non-Windows OS experience into their OS team is, of course, arguable.
It's still true that MS didn't really "get" security at that point - and not long after, they did (including the fact that your customers will blame you even if you DID release the patch a year earlier). The update and notification process is certainly light years better.
Today, the problem may be recession level staffing. Management sees the servers run - and profits are thin. So like a guy with no money and bad brakes who says "car still seems to stop when I want it to"...hope for the best and refuse to imagine the worst.
Gotta agree with you on all of that.
I always thought it was the market share they were losing to Linux and Apple that woke them up to the security issues, and XP SP2 was their response. Everything else seemed to flow from that.
Then they went too far on that for a lot of people with Vista and UAC.
As for blaming MS even if they released a patch, there was a big security hullabaloo a couple of years ago with "encrypted SQL injection", and MS got blamed for that, even though Oracle, MySQL, IBM and so on database servers were just as vulnerable and had just as many problems. Had nothing to do with SQL Server, it was coding practices on top of it that mattered, but MS got a lot of negative media for it at the time. I actually heard a news commentator say that MS was working to fix it right after stating that more Oracle and MySQL servers were affected than SQL Server instances. Was pretty funny. So, yeah, they'll be blamed for security issues, even when it's not their product at fault, much less their patching practices. But they did more than earn that rep in the 90s and early 00s.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 3, 2010 at 2:53 pm
CirquedeSQLeil (11/2/2010)
One side of me wants to say this should no longer be an issue. The realist side of me realizes that there are so many SQL installs out there that are unpatched or even in RTM still. The real issue should be to get people to patch their servers and SQL installs appropriately.
It would be so easy to agree - because you're right!
But - unless the company is specifically a SQL Server service provider, the problem is that money spent on specialist staff and proactive systems management only pays off over the long haul. In an economic downturn, firms need to survive the short haul - else the long haul doesn't matter.
This leads to a fairly frustrating state of affairs for experienced professionals who take pride in their work - and are working hard in a "reactive only" environment, at least for the time being - so the widget manufacturer or day school or trucking outfit we may work for is still around 6 months from now.
This will become self-correcting over time, of course. It's like waiting for the dying hot water heater to die before you replace it. Unfortunately, sometimes you have to work that way. And when the inevitable failure occurs, you hope you hit the right balance of having warned them, without becoming the vexing annoying worrywart that gets ignored totally as a "chicken little".
Roger L Reid
Viewing 6 posts - 16 through 20 (of 20 total)
You must be logged in to reply to this topic. Login to reply