News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Eric Ogren's picture
Eric Ogren

Security Impact

More posts | Read bio

October 19, 2006 - 4:32 P.M.

Let's give Microsoft SQL Server some credit

9 comments

Oracle continues to gather attention for disclosing staggering numbers of vulnerabilities in their database products. It will be their turn to be on the hot seat for a while. While others are hammering away at Oracle, I took a look at Microsoft SQL Server to see how they are faring.

Microsoft has taken a ration of grief over the years for the security vulnerabilities that arise from buggy code. And they deserved it. Companies running their business on a technical infrastructure need to be sure that the infrastructure and the confidential information that the business produces can be trusted. With that background, Microsoft used SQL Server as the guinea pig for its Security Development Lifecycle. After a couple of years of hard engineering work, the early returns on SQL Server merit attention and respect.

I did a quick comparison of CVE submissions in 2006 for Microsoft and Oracle databases. I chose CVEs over bulletins and patches because the vendors have less ability to control CVE data. The numbers are amazing. I found but 2 CVE entries for Microsoft SQL Server so far in 2006 (!); I found 68 CVE entries for Oracle Database. (An equivalent search with “Microsoft + Database” also only yields 2 hits for 2006). I made no attempts to drill into the details of CVEs as a 30X difference really is the point.

Admittedly not all of these CVEs translate into security vulnerabilities, but it is pretty clear to me where I would want my confidential data to reside.

What People Are Saying

Add new comment

JR – wrong – it has

Submitted by Rock on September 10, 2007 - 1:02 P.M.

JR – wrong – it has nothing to do with support, sizing or admin - its all about the architecture. Until SQL Server gets rid of the locking concurrency model and is ported to other platforms, it will continue to play second fiddle to Oracle. SQL Server’s biggest down fall is it only runs on Windows – which still doesn’t efficiently scale past 4 CPUs. And MSFT has no answer for RAC and Grid. Study the products and you will find out why leading technology companies like Yahoo have bet their business on Oracle.

Report this comment

Is MS SQL really as scalable

Submitted by jr on August 30, 2007 - 6:48 P.M.

Is MS SQL really as scalable as Oracle? Can yahoo run an SQl server for example, or banks with with millions of clients?

Yes, with a premium support as Oralce and big clients do

And all related task, like sizing, administering in a good way. etc. etc.

Report this comment

I agree with Amos. I deal

Submitted by Anonymous on July 30, 2007 - 4:38 P.M.

I agree with Amos. I deal with many companies, small, middle, big, bigger and giant. small and middle size companies use MS SQL. Others, banks (even the biggest in EU), goverment...cities.... they all use Oracle. Why? Maybe level of scalability is the answer.

Report this comment

Is MS SQL really as scalable

Submitted by Amos on July 28, 2007 - 6:06 A.M.

Is MS SQL really as scalable as Oracle? Can yahoo run an SQl server for example, or banks with with millions of clients?

Report this comment

Are some MS SQL Server 2005

Submitted by Kevin on February 22, 2007 - 4:41 P.M.

Are some MS SQL Server 2005 issues fixed when the Windows OS is patched? I would think that they're tied very tightly.

Report this comment

Yes, I was also pleasantly

Submitted by Brian on October 26, 2006 - 12:23 A.M.

Yes, I was also pleasantly surprised by the low number of SQL Server 2005 as well although there are more than a few bugs out there that are more than annoying. Therefore, I have a comment about the quality of mainframe products versus microcomputer products. I started in the mainframe world and one thing I learned hanging out with the IBM system engineers was that there was zero tolerance for bugs or vulnerabilities and I incorporated it into my worldview. Fortunately I was at a very young age so "I didn't know any better." [I started programming mainframes at age 10, a table of logarithms to base pi for geometric calculations.] That attitude is far from pervasive in the microcomputer world and why I distinguish myself as a software/database engineer (among other types) rather than a developer.

I have programs out there still in use by the military that are almost twenty years old, still run under the latest and greatest (?) versions of whatever line of microcomputer operating systems they were programmed for and have yet to show one bug or vulnerability. These were not small applications or application suites designed and executed by my teams. I think it is high time we start holding the industry to much higher standards but I won't hold my breath expecting to see it happen.

Report this comment

You are right - the IBM

Submitted by Eric on October 24, 2006 - 10:45 A.M.

You are right - the IBM databases also deserve kudos. People have been predicting the death-spiral of mainframes for a generation now, but they hang in there because DB2 works, and works well. Thanks for pointing this out.

Report this comment

IBM Mainframe is an

Submitted by Michael J Geiser on October 23, 2006 - 12:18 P.M.

IBM Mainframe is an Operating System not a Database...

Run the search on DB/2 and you get 4 2006 hits.

Mainframes are difficult/impossible to justify for acquisition and maintenance costs, capacity, development costs, etc compared to Oracle and SQL Server based systems.

Report this comment

Let's see... And how many

Submitted by Anonymous on October 21, 2006 - 6:00 P.M.

Let's see...
And how many hits did you find on the IBM mainframe [a search on 'z/OS'; unqualified]?

I found two, both under review and therefore may go away. And, of the two, one was a CA product and not IBM's.

I'm always amazed that the mainframe never seems to get the credit it is due.

I an NOT interested in getting this published, but only getting it to someone who WRITES for the magazine.

Report this comment

Related Posts

Google China censorship: opinion roundup
Do Railhead right or don't deploy until it IS right
We have met the enemy, and he is us.
DBA's not to blame for Oracle patch application failures?

Editor's Picks

Attacks likely against Windows, PowerPoint, researchers say

Google Buzz takes the fight to Facebook, Twitter

Judge dismisses Windows anti-piracy software lawsuit

Microsoft e-health research taps Xbox, mobile phones

Review: 3 encryption apps keep your data safe

Startup opens offshoring alternative in distressed Michigan

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.