Microsoft SQL Server Runs the Security Table


In my opinion, SQL Server 2000 SP3, SQL Server 2005 and IIS6 have been the poster-children for SDL. Enterprise Strategy Group just released a research paper comparing the security of SQL Server with Oracle and MySQL.


And no, this was not commissioned by Microsoft!

Comments (3)

  1. Mike H. says:

    I don’t believe the data at all in this report and anyone who takes a look at the nvd.nist.gov site will see that his numbers are total BS.

    It looks like this persons research was based upon doing a few very basic searches in the nvd.nist.gov database.  If I do the same searches he used; yes I get 2 results for "Microsoft database" but they have nothing to do with SQL server.   One issue is around Visual Studio and another is around some non-Microsoft portal product.

    How many of the "hits" in his simple query are totally wrong for Oracle and MySQL?   Unless there is a bit better proof than citing a couple poor queries this document means nothing and shouldn’t be something Microsoft is proud of.

  2. Rory McCune says:

    Whilst I agree with the overall point, SQL server (especially 2005) is waay better than Oracle/MySQL on the security front, the numbers this study uses seem odd..

    They’ve not specified product version and that’s just going to  make the numbers very odd, they’ve also not (that I can see) specified their exact methodology the comment above implies that their methodology may not be the best!

    Here’s a better (IMO) analysis, using secunia which actually breaks things down well by product

    Number of advisories per product from 2003-2006

    Microsoft SQL Server 2000 – 10

    Microsoft SQL Server 2005 – 0

    MySQL 3                   – 11

    MySQL 4                   – 19

    MySQL 5                   – 5

    Oracle 8i                 – 17

    Oracle 9i Enterprise      – 23

    Oracle 10g                – 13

    Now I know it’s possible to argue the point around severity etc and product age, but I’d say still a pretty clear win for Microsoft…

  3. I was quite surprised when a number of folks criticized the data used in the report titled " Microsoft