in

SQL Server Blogs

Voices from the UK SQL Server Community

Rob's SQL Server Blog

... SQL Server thoughts from the field

Update: Two-thirds of Oracle DBAs don't apply security patches

This scary article reminded me of a conversation I had with a colleague in the middle of a team meeting recently. This centred around the perceived lack of security of SQL Server compared to Oracle and the Slammer worm was cited as an example. The damage done by slammer was entirely caused by DBA's and SysAdmins not applying critical updates on their SQL 2000 machines, allowing the worm to exploit these documented security holes.

I guess that mud sticks and people remember the impact of slammer, but as a result DBA's (or ones that want to keep their jobs) must ensure that all critical security patches are deployed. Of course, to date there have not been any critical security patches released for SQL Server 2005, so looks like Microsoft are getting their act in order in this respect, but we can't afford to be complacent...

Published Feb 08 2008, 09:50 AM by robcarrol
Filed under:

Comments

 

Dave said:

The reason I see for this is because Oracle is such a different animal, DBA's don't want to install patches on live servers unless they have the time to fully evaluate the impact they might have.  For example we run both SQL Servers (around 25-30) and 3 Oracle Servers (running under AIX).  Our oracle boxes don't need much maintentance, cache hit ratio is above 97% most of the time and generally all runs well.  We had a software upgrade whcih caused us to move from 10.1 to 10.2.  What we didn't see was that Oracle's query optimiser had been changed signifcantly, in regards to how it handles #joins meaning performance (for us) dropped through the floor and queries that used to take 15-20 seconds now took 2-3 days.  It took months of talking to Oracle support before they picked up on the query optimiser change in the upgrade.  Whilst I have no objections to keeping everything patched, we need to make sure critical systems (especially those running on Oracle) don't get too adversely affected by the update.  With our SQL boxes, it's a hell of a lot easier to remove a patch (or rebuild SQL) than it is Oracle.  As such, with Oracle I take a "not broke, don't fix" attitude (rightly or wrongly).  Plus our servers are safely tucked away behind a couple of firewalls, and as long as our networks boys are doing their job, the servers are safe! :)

Dave

February 8, 2008 3:22 PM
 

robcarrol said:

Hi Dave, good point. I got into all sorts of issues regarding AWE memory after installing SQL Server 2000 SP4, so know exactly where you are coming from (unfortunately the testing on our dev systems did not show up the issue as the machines were not using AWE as they only had 4GB RAM in them)! This article focuses on Oracle, but the figures for SQL Server may be exactly the same.

I guess the point I was making is that the slammer worm could have been avoided if the systems had been patched previously with critical updates. I'm still coming across RTM systems in my organisation, which shows that some lessons still haven't been learned !

February 8, 2008 4:18 PM
 

Dave said:

I suppose it all comes down to your own risk assesment.  I'm sure most users of SQL Server are in positions where maintentance of a system that's working fine means they don't even look at patching.  With Oracle, I suppose there's no-one out there whose going to spend the time hacking it, whereas as it's a MS product, it's open season.

But your right - everyone should make sure their systems are patched, but it has to be done with consideration and thought.  Too often people just say "well it was working before I patched it", "really? so what patches did you apply?", "dunno, but they were from Microsoft, so it can't be those!".  The Slammer issue was the other side of this argument, but it speaks volumes that it even caused an issue in the first place.  Security measures should have been in place which stopped anything from going in/out on 1433.  SQL should have been set to another port, or at least completely hidden from the outside world.

I don't suppose we should complain too much however, because it was really simple and there weren't any problems - most of us wouldn't have a job ;)

Dave

February 8, 2008 5:42 PM
 

ssqa.net said:

Patches and service pack - don't miss about bug-fixes how do you go about it?

Its not sufficient when you have secured the access to the database, may be other means on the network.

February 13, 2008 10:59 AM
Powered by Community Server (Commercial Edition), by Telligent Systems