In This Issue:
In the past, security vulnerabilities in Microsoft products have attracted serious criticism. But after the Slammer outbreak, Microsoft realized security is no laughing matter. The current security strength of SQL Server shows the dramatic improvements the company has achieved.
Microsoft launches Windows Vista, the 2007 Office system, and Exchange 2007
New Instant Poll: Upgrading to Vista
"Are you planning to upgrade to Vista?" Go to the SQL Server Magazine home page and submit your vote for:
- We already have.
- We plan to upgrade in the next 3 months.
- We plan to upgrade in the next 6 months.
- Maybe, but it’ll be a year or more.
- No, we like XP just fine.
To ensure that future email messages you receive from SQL Server Magazine UPDATE aren't mistakenly blocked by antispam software, be sure to add [email protected] to your list of allowed senders and contacts.
Our Sponsors, Who Help Support the Free Delivery Of This Newsletter:
- Enhancing SQL Protection: A Case for Asynchronous Replication
- Special Report: Perspectives on SQL Server Sprawl
- ISV? Database version upgrades painful?
- SQL Sentry Adds Support for Oracle!
November 30, 2006
- No Joking About SQL Server Security
2. SQL Server Watch
- Windows Vista, 2007 Office System Launch is “Most Significant in Microsoft History”
- IT Pro of the Month—October 2006 Winner
- Product Watch: LearnKey and Databk.com
- This Month’s Focus: SQL Server Management Tools: T-SQL and SQLCLR Debugging
3. Hot Articles
- Reader to Reader: Stored Procedure Searches for Strings
- T-SQL 2005: An Upgraded UPDATE
- Puzzled by T-SQL: Using the RECOMPILE Query Hint to Solve Parameter Sniffing Problems
- Hot Threads: SQL Server General Discussion and SQL Server 2005 Security
4. Events and Resources
- How Does Compliance Affect IT Infrastructure?
- Learn to Manage Windows and UNIX/Linux Networks
- Disaster Recovery: Digging for Buried Treasure?
- Alternatives to Traditional File Servers and Tape Storage
- Differentiate Between Disaster-Recovery Solutions
5. Featured White Paper
- TCO of an Email Archive
- SQL Server Performance Tips, Articles, and Forums
- Make Your Mark on the IT Community!
- SharePoint Pro Online—LIVE!
7. Web Community
Sponsor: Double-Take Software
Enhancing SQL Protection: A Case for Asynchronous Replication
Built-in SQL Server data protection features aren’t enough. Learn to use an automated data protection solution that provides 24x7 availability to meet today’s critical business demands.
No Joking About SQL Server Security
by Brian Moran, [email protected]
I’m a Microsoft fan, but I admit that telling Microsoft jokes is almost as easy as telling lawyer jokes. (I hope my legal team isn’t reading this, taking offense, and padding their bills to me in retaliation.) Security—or arguably the lack thereof—has long been an area in which Joe Public likes to poke fun at Microsoft. Because so many desktops worldwide run Windows, the popular press has countless opportunities for pointing out Microsoft’s foibles in this space.
But it looks like Microsoft might be improving its security reputation, especially in the SQL Server realm. A recent security briefing published by the Enterprise Strategy Group (ESG), “Microsoft SQL Server Runs the Security Table,” might be of interest to database and security professionals around the world. According to this compelling 3-page paper, “ESG considers Microsoft, with proper execution, to be years ahead of Oracle and MySQL in producing secure and reliable database products.”
Hmm. Wow. Could it be true? I’m not from Missouri, but I believe in the words of the state’s nickname, The Show-Me State. Seeing is believing—unless you’re at a magic show.
The ESG report focuses on a review of Common Vulnerabilities and Exposures (CVE) data from the National Institute of Science and Technology (NIST) National Vulnerability Database to compare security vulnerabilities in SQL Server, Oracle, and MySQL. The results were interesting. For 2006, SQL Server currently has two CVEs, MySQL has 59 CVEs, and Oracle has 70 CVEs. (Note that although ESG’s paper focuses on SQL Server, Oracle, and MySQL, Sybase has seven CVEs for 2006 and IBM DB2 has four.)
I’m not a security expert, and to be honest, I don’t know for sure that the National Vulnerability Database is the only—or best—indicator of database vulnerabilities. But all the vendors who are included in the database self report, and the ESG report says that it used the National Vulnerability Database because it’s a registry that collects data from numerous commercial, academic, and research groups who focus on security matters. The difference between two SQL Server CVEs and 70 Oracle CVEs has to mean something.
The report notes that “Microsoft’s results are almost too good to be true,” and the Missouri lover in me also marvels at the reported results. Honestly, I’d be inclined to discount the report if it weren’t for the connections I have with certain members of the SQL Server product and program-management teams. I was with certain Microsoft engineers on the day that Slammer swept the world a few years ago, and I know how embarrassing that event was for Microsoft. I’ve heard all the standard “we’re going to make it better” promises and understand why customers have been skeptical. But I’ve been able to talk to the SQL Server team members who are responsible for implementing those promises, and I know that they take their responsibility very seriously. Usually, the adage “if it looks too good to be true, then it’s probably not true” is correct, but in this case, the good news really is true. Usually it’s easy to poke fun at Microsoft, but Microsoft has been kicking some serious butt in the race to have a hardened, secure database platform.
Slammer, and the incessant wave of security patches that followed, forced Microsoft to make hard decisions about the way that security would be managed, and at one point caused a many-months-long delay of new work on SQL Server 2005 and 2000 as massive engineering resources were pumped into detailed code review and design reviews to ensure that security was “baked into the core,” as some Microsoft folks like to say. Read the entire ESG report for more insight about how Microsoft achieved these impressive CVE results for 2006. Instead of “it’s too good to be true,” perhaps this time the best advice is “don’t look a gift horse in the mouth.”
Special Report: Perspectives on SQL Server Sprawl
How many SQL Servers are you managing? Is your database inventory out of control? Are costs difficult to manage? You’re not alone. Download this special report today to find out how SQL Server sprawl affects your organization, and learn best practices for preventing it.
2. SQL Server Watch
Windows Vista, 2007 Office System Launch is “Most Significant” in Microsoft History
At a New York press conference this morning, Microsoft Chief Executive Officer Steve Ballmer announced the business availability of Windows Vista, the 2007 Microsoft Office system, and other new products including Office PerformancePoint Server 2007 and SQL Server 2005 Data Mining Add-Ins for Office 2007. Office PerformancePoint Server 2007 (currently available only as a Consumer Technology Preview—CTP—at http://connect.microsoft.com/site/sitehome.aspx?SiteID=181) is the company’s performance-management application, which includes business scorecarding, analytics, and planning functionality. SQL Server 2005 Data Mining Add-Ins for Office 2007 (available as part of the Feature Pack for SQL Server 2005 Service Pack 2 CTP, downloadable at http://www.microsoft.com/downloads/details.aspx?FamilyID=7A9AD90F-7F95-4369-A206-E84053D63FD3&displaylang=en) let you take advantage of SQL Server 2005 predictive analytics in Microsoft Office Excel 2007 and Microsoft Office Visio 2007. The download includes Table Analysis Tools for Excel, Data Mining Client for Excel, and Data Mining Templates for Visio.
Availability of the newly launched products is currently limited to volume licensing customers. The products will be released to consumers and organizations without volume licensing agreements on January 30, 2007. According to Ballmer, this simultaneous release of Microsoft’s flagship products is “the most significant release in company history.” The multi-product release is based on feedback from more than 1 billion user sessions during testing of more than 5 million beta downloads. Microsoft says that the close partnership between the company and beta testers has resulted in new capabilities in Windows Vista and the 2007 Office system, including “advances in graphics and pervasive support for XML.” Microsoft also emphasized the role of the 2007 Office system as a platform for “developing business applications that will eliminate the barriers between organizations, systems, processes and information.” You can read the press release, including a complete list of newly released products, at http://www.microsoft.com/presspass/press/2006/nov06/11-30NewDayPR.mspx.
IT Pro of the Month—October 2006 Winner
Congratulations to Chris Stanley, who was voted the October 2006 IT Pro of the Month. Chris built an Apache Web server (using MySQL and FileZilla) and designed an intranet on which he posted manuals and protocols used in a 911 center. Vital information is now centralized and can be accessed quickly when time matters most. To learn more about Chris’s solution and find out how you can become the next IT Pro of the Month, please visit http://www.windowsitpro.com/go/itpromonth.
by Blake Eno, [email protected]
Learn How to Implement and Maintain a SQL Database
LearnKey released Microsoft Certified Technology Specialist Track (MCTS) for Structured Query Language (SQL) 2005 training. This learning track covers all prerequisites for the new Microsoft Professional Level Curriculum and is the foundation for SQL Server database administrators. In this course, you’ll learn how to write queries and implement and maintain a database. This is the entire material contained in Microsoft Exam 70-431, the certification test for SQL Server professionals. This course is taught by Microsoft Certified Professional Wayne Snyder and includes 15 sessions and approximately 45 hours of study. LearnKey's MCTS SQL Server 2005 series costs $1080 for individuals or $2695 for multiple seats. The learning track is available online, on DVD, and on CD-ROM. For more information, contact LearnKey at 800-865-0165 or vitsit http://www.learnkey.com.
Backup and Restore Tool
Databk.com announced SQL Server Backup 6.1, a backup-and-restore utility for SQL Server 2005. The software supports full database backup, differential backup, and transaction log backups with data compression and 128- or 256-bit encryption. The product's email reports provide information about an unfinished or finished backup or restore job. SQL Server Backup supports multiple SQL Server instances and can restore a database to a point of failure. The software also deletes expired backups automatically. SQL Server Backup is priced at $79.95. Volume discounts are available. For more information, contact Databk.com at [email protected] or [email protected]
This Month’s Focus: SQL Server Management Tools: T-SQL and SQLCLR Debugging
Learn the magic key for enabling cross-process debugging: http://www.sqlmag.com/Articles/ArticleID/42211/42211.html.
ISV? Database version upgrades painful?
DB Ghost Packager Plus enables ISVs to develop an installer for their customers containing the new version of their product that will automatically bring any target database to the same level as the source database. ISV customers just launch the Packager Plus installer.exe, choose the location and name of the database, set the basic settings, and click—it’s done. Excuse the cliche, but it really is as simple as that. Download our 14-day Free Trial.
3. Hot Articles
Reader to Reader: Stored Procedure Searches for Strings
Send your SQL Server code, comments, discoveries, and solutions to [email protected]
Here's a stored procedure that searches the syscomments, sysobjects, syscolumns system tables in the local database for any reference to the string you specify. Read the full article at http://www.sqlmag.com/Articles/ArticleID/50250/50250.html.
T-SQL 2005: An Upgraded UPDATE
Enhancements to UPDATE in SQL Server 2005 help avoid deadlocks caused by simultaneous database requests. Read this article today and post your comments at http://www.sqlmag.com/Articles/ArticleID/93729/93729.html.
Puzzled by T-SQL: Using the RECOMPILE Query Hint to Solve Parameter Sniffing Problems
Sometimes you find that a tool designed to solve one problem is helpful in solving other problems as well. Read how Itzik Ben-Gan accidentally discovered that the new SQL Server 2005 RECOMPILE query hint can help solve parameter sniffing problems. Post your comments on the blog today at http://www.sqlmag.com/article/articleid/94369/sql_server_blog_94369.html.
- SQL Server General Discussion: XML transition from SQLXML 3.0 to SQL 2005
- SQL Server 2005 Security: SSL Error Message
4. Events and Resources
How will compliance regulations affect your IT infrastructure? Help design your retention and retrieval, privacy and security policies to make sure that your organization is compliant. Download the free eBook today!
Now that Microsoft and Novell have announced their alliance, you can't miss an opportunity to learn about new ways to manage Windows and UNIX/Linux networks efficiently. Register now for TechX World—free online December 14—and learn how to manage your heterogeneous environment. Topics include task automation and scripting, data access and application management, file and print sharing, and security and access considerations. Register today!
After disaster strikes, does recovering your data feel like digging for buried treasure? Test your disaster-recovery skills, and you could win! Each week, we'll give away a USB flash drive to one lucky treasure hunter. You'll also be entered to win the full treasure chest, including Bose headphones! Test your skills now!
Learn about the advantages for each alternative to traditional file servers and tape storage solutions, and make the best choice for your enterprise needs. On-Demand Web Seminar.
Learn to differentiate between alternative solutions to disaster recovery for your Windows-based applications and to ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. On-Demand Web Seminar.
Bonus: Register for any Web semina—live or on-demand—during the month of November, and you could win a PS3! View a full list of eligible seminars at http://www.windowsitpro.com/events/Index.cfm?Filter=webSeminars&fID=1.
5. Featured White Paper
TCO of an Email Archive
What’s the true cost of an in-house email archiving solution, and how does it compare to the cost of an outsourced solution? Find out from independent researchers what the TCO of both solutions really is and how the management of an in-house solution can strain IT budgets and staff. Download your copy of this whitepaper today!
Hot Spot: Intercerve
SQL Sentry Adds Support for Oracle!
vent Manager delivers “Outlook-style” visibility and functionality to easily manage intricate and voluminous job streams, including support for geographically distributed deployments and configuration of powerful event chains. Download a full trial today!
SQL Server Performance Tips, Articles, and Forums
Get hundreds of free tips and articles on SQL Server performance-tuning and clustering. And get quick and accurate answers to your performance- and cluster-related questions in our forum. All from the SQL Server performance and clustering authority: SQL-Server-Performance.com.
Make Your Mark on the IT Community!
Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve and be acknowledged in the IT community. Winners will receive more than $600 in IT resources and be featured in Windows IT Pro and the TechNet Flash email newsletter. Entering is easy—we're accepting December nominations now for a limited time! Submit your nomination today: http://www.windowsitpro.com/go/itpromonth.
SharePoint Pro Online—LIVE!
Join us for this premier virtual event for developers and administrators of SharePoint products and technologies. Brought to you by MSD2D and the Windows IT Media Community, this event will demonstrate, showcase, and exhibit the premier companies in the SharePoint market. The conference will bring industry experts to the desktops of attendees, educating them on various SharePoint topics. To register: http://events.unisfair.com/rt/sharepoint?code=mix.
7. Web Community
- About the newsletter—[email protected]
- About SQL Server Perspectives—[email protected]
- About technical questions—http://www.sqlmag.com/forums
- About product news—[email protected]
- About your subscription—[email protected]
- About sponsoring SQL Server Magazine UPDATE—Richard Resnick, [email protected]
SQL Server Magazine UPDATE is brought to you by SQL Server Magazine, the only magazine devoted to helping developers and DBAs master new and emerging SQL Server technologies and issues. Subscribe today!
SQL Server Magazine is a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All Rights Reserved.