SQL SERVER – Differences in Vulnerability between Oracle and SQL Server

In the IT world, but not among experienced DBAs, there has been a long-standing myth that the Oracle database platform is more stable and more secure than SQL Server from Microsoft. This is due to a variety of reasons; but in my opinion, the main ones are listed below:

A. Microsoft development platforms are generally more error-prone and full of bugs.

This (unfairly) projects the weaknesses of earlier versions of Windows onto its other products such as SQL Server, which is a very stable and secure platform in its own right.

B. Oracle has been around for longer than SQL Server and must therefore be more stable and secure.

Well, this does not count for anything. Being around longer does not mean that you are necessarily wiser. Need more proof? – look at General Motors.

Let us look at the comparisons between Oracle’s DB platform and SQL Server:

Number of reported vulnerabilities for per product

In my opinion, this is the most basic test for stability and security – the number of errors and bugs reported for a product is roughly proportional to its security and stability. Note that this number is usually compiled by independent information-security companies; so, there is no question of “hiding the numbers.”

In this regard, Oracle fares poorly as compared with SQL Server. Oracle Corporation releases an amazingly large number of patches and Critical Patch Updates (CPUs) for its DB platform. To be fair, following are some of the arguments that support Oracle DB (together with answers for those same arguments):

Oracle runs on several platforms, while SQL Server only runs on Windows

Answer: No, the patches and bugs reported are almost all cross-platforms, which implies that they are OS-independent.

Oracle DB also includes several other components, so we are not comparing like with like

Answer: Here, I considered only the database server components. This implies that any problem arising from components such as the Intelligent Agent or the Oracle Application Server has not been included.

Let us compare the Nov 2009 vulnerability reports of the both Oracle11g [1] and SQL Server 2008 [2].

Product Advisories Vulnerabilities
SQL Server 2008 0 0
Oracle11g 7 239

This is not only for the latest DB platforms: Oracle 11g and SQL Server 2008. No, if we take a historical perspective, Microsoft patched 59 vulnerabilities in its SQL Server 7 – 2000 and 2005 databases in the past 6 years, while for the same period Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases. Moreover, in 2006, Microsoft SQL Server 2000 with Service Pack 4 was ranked as the most secure database in the market together with the PostgreSQL open source project. Oracle10g was placed at the very bottom of the same list.

DBAs are wary and tired of patching the Oracle DB

A survey conducted in January 2008 [3] showed that two-thirds of Oracle DBA’s do not apply security patches. The underlying cause of this is that Oracle Corporation releases a huge number of patches and fixes for various bugs, which itself leads to this secondary problem. There is a lot of fatigue and effort involved in tracking, testing and installing several patch releases every year. In 2009 alone, Oracle released 33 patches for its DB.

However, I am not at all suggesting that Oracle DBAs are lazy or do not take database security seriously. The main reason why many DBAs are very wary of patching Oracle databases is the complexity involved. First, note that patch testing, and also CPU testing is a long and intensive process. Because of the large numbers of bug fixes and CPUs released by Oracle, many application vendors whose products run on an Oracle DB simply do not have the time to test a patch, or as soon as they do so, another one is released. This, in turn, implies that if their clients risk installing unapproved patches, then the vendor can rightfully refuse to support them in case that patch then causes an error in the application.

Slavik Markovich, the Chief Technology Officer of database vendor Sentrigo Inc, said at a conference:  “To apply the CPU, you need to change the binaries of the database. You change the database behavior in some ways that may affect application performance. So applying security patches to a database typically involves testing them against the applications that feed off the database. This is a very long and very hard process to do, especially if you are in enterprises with a large number of databases and applications. Applying these patches means months of labor and sometimes significant downtime, both of which most companies can’t afford.”

Microsoft has a working system of patch testing and rollout, whereas Oracle does not have such a system

Trustworthy Computing is a Microsoft tool that proactively identifies and allows you to install missing patches. When Microsoft launched this initiative, many people did not take it seriously. But now it has proven to be a lifesaver for many busy DBAs and system administrators who simply do not have the time to worry about installing patches. Oracle does NOT have an equivalent tool.

Also, Oracle also does not make life easier for companies who want to keep their databases secure, making it complex to download and install patches. With SQL Server, you can schedule automatic installation of updates and patches. Moreover, if it causes an undesired effect on your application, you can simply uninstall it, leaving the database at it was prior to the update. This is somewhat similar to the System Restore feature of Windows. With Oracle DB, both the installation and removal of patches are complex events that are not easy to do and undo, except for a seasoned DBA.

However, the single most crucial factor in Microsoft’s DB-security-management success is its Security Development Lifecycle (SDL). The use of SDL [4] implies that knowledge obtained after resolving the problems is never lost; instead it is ploughed back into the cycle. Therefore, instead of repeating the same mistakes every time, you can at least ensure that the new code is more secure than the old code, even though it is not completely secure. For instance, the mistakes that were committed and resolved while developing SQL Server 2005 were not repeated during the development of SQL Server 2008. However, there is one issue that bothers developers and DBAs who use Oracle DB: they come across the same mistakes in every version used by them. Eventually, when one problem is resolved, many a time the results are not problem-free and in turn, a new error or problem is created – overall, there is no consistent and reliable problem-solving technique for correcting bugs and fixes. In fact, database consultant Karel Miko estimates that Oracle Corp. is about 5 years behind Microsoft in patch management.

Summary

I hope this article helps to debunk the myth that SQL Server is a less stable and less reliable platform than Oracle DB. As many researchers and security consultancy firms worldwide have pointed out, SQL Server is consistently more secure and much less prone to errors and bugs than Oracle DB.

Sources:

[1] http://secunia.com/advisories/product/18050/?task=statistics_2009

[2] http://secunia.com/advisories/product/21744/?task=statistics_2009

[3]http://www.computerworld.com/s/article/9057226/Update_Two_thirds_of_Oracle_DBAs_don_t_apply_security_patches

[4] http://www.infoworld.com/d/security-central/database-expert-oracle-trails-microsoft-patch-management-166

Reference : Pinal Dave (http://blog.SQLAuthority.com)

About these ads

14 thoughts on “SQL SERVER – Differences in Vulnerability between Oracle and SQL Server

  1. Pinal,

    I prefer Oracle. Not because it’s more stable (i haven’t had an issue with SQL Server), but because

    1) i like the command line interface better SQL Server’s is not as featured

    2) Oracle doesn’t deprecate non-ANSI syntax.

    3) More functions. For example, many more windowing functions, movable windows, hierarchical queries,

    4) My impression about how the community responds in Microsoft is “use this because it works”. In Oracle its “use this because it’s correct.” I prefer the latter approach.

    5) If i see one product with 100 reported bugs and one with 10, i’d question if there are 100 in the one because it is worse, or 10 in the other because they don’t report everything. Or because it isn’t as well tested. Or because people are happy with workarounds that just work.

    6) Oracle longevity has proven the product. SQL Server until recently was putting in basic functionality. More than one million records in a TABLE and using multiple schemata come to mind. With 2005 and 2008 SQL Server has most of the basics, but it comes with a feeling of “ok, we’re new at this”.

    7) The SQL Server blogs are mostly about “here’s a neat way to do this” and “this is faster in some scenarios”. I think “fun”.

    The Oracle blogs are mostly informative, “here’s how this works” and “Oracle uses c(a+b) for this calculation”. I think “informative”.

    Both have both though. This is just an impression of the majority, that i have after reading each for a couple years.

    I am using SQL Server for my job, and it works well. It does things Oracle does not like CROSS APPLY and TOP with are really convenient and useful. When asked for a comparison on our reporting project, i keep telling people SQL Server 2005 (we’re probably moving to 2008 next year) will do the job, and we don’t even need the data warehouse because SQL Server will handle the job.

    So, i hope you don’t think i’m saying SQL Server is bad. I simply prefer the Oracle model (if that’s the right word, or “paradigm”).

    • Hi Brian,
      I totally appreciate your point of view and your opinion is very valuable.

      As you described it is point of view and as long as we find it positive in every element.

      Kind Regards,
      Pinal

  2. Very informative topic. I had been hearing that Oracle is better than SQL Server but now I understand the details. Thanks so much Pinal, for this article.

  3. Hi

    Its a very good topic and each one one us has different opinion and also every one should take this in +ve mode.

    I will not say which one is better here. Coz each of these are best on their own.

    Based on my consulting exprience in US and UK, Database servers are decided based on the following factors:

    1) The application which is used to access the tables. If the front-end application is in .net or any of the microsoft products then default database server is SQL Server. If the front-end application is in Java then default database server is oracle.

    2) selecting database server is entirely based on the big picture of enterprise architecture. if the firm is using SQL Server right from the begining then they preffer to go with SQL Server than changing the whole architecture.

    I know these are not the only factors but these are the two answers i get normally when i review the architecture.

    On the other-hand, what i have seen now a days, people are looking more towards vertica or Sybase IQ or Netezza. which are manily for datawarehouse applications. So i think in the next 2 to 3 years there would be a huge changes to various database architectures.

  4. I have worked in 3 places which have had both Oracle and SQL Server. Oracle DBAs as Brian said are more academic, understand that what is worth learning is often times hard to learn, and are more about correctness than ‘what works’. Two major differences – one, it takes quite a bit of hard work/calls to Oracle support to figure out an issue with Oracle (there are many :) but unlike SQL Server it is rare that you can just google an answer or find it in their help. Second, Oracle DBAs earn a LOT more than SQL Server guys!! I think this is a huge and important difference since it takes a lot of effort to learn Oracle. I appreciate MS making SQL easy to learn, GUI friendly all of that but there are many SQL Server DBAs who just learn GUI and think they know the product – I worked once even with a DBA manager who did not know 3 rules of normalisation!! I am not sure about Oracle also though but in the SQL Server world knowledge sadly is not valued by experience and technical expertise but by a variety of hyped factors – ability to spout googled knowledge, UG leads, MVP titles (no offence to these titles and have one myself but it has no relation to a person’s technical expertise) and various hype. In other words you really have to strip the person of all the hype to find out if the knowledge underneath is worthy of respect and in my experience this is far easier in the Oracle world. Thank you.

  5. I treat Oracle and SQL Server as different tool in my tool box. Some of the fundamental differences between Oracle and SQL Server
    1) Oracle has SCN (System Change Number) on the header of all data blocks. Before Oracle modify any data block, the before image will be store in the UNDO tablespace or Rollback Segments (RBS). If a user starts a query at 4:00 pm, not matter how long the query will run and how much the data has changed before he gets the result, he will guarantee get the true result as 4:00 pm. Other benefit with this architecture is that writers will not block readers. In SQL server, at least in earlier version, if a user updating a record and has not commit or rollback, it will block others who wants read the row.
    2) Oracle is multi process while SQL server is multi thread. Oracle database will scale better (support more users) with multi process on UNIX or Linux. Windows server are getting better in recent year but the overhead for maintaining the thread for all the user connection is there.

    • Hi,

      Sorry but I really have to ask you to elaborate your statement #2. I’ve done a lot of work with sockets and threads, written some articles about socket interface, TCP/IP and threading, written many socket based servers and services. I can’t see why threads would be heavier in this regard than processes.

      With processes you end up with process context switches which is a heavy operation. Also inter-process communication is not a simple thing. With threads you are inside a single process space which means no context switches. Of course there are calls to kernel when dealing with mutexes and other synchoronization objects but so is in processing model also.

  6. Hello Mr.Pinal,

    I really appreciate your articles.

    But NOT this article, i do not see any comment by any others picking out negatives on either SQL Server or Oracle, they supported both of them equally.

    But your article seems like you don’t want others to use Oracle coz lot of patches are being released to fix bugs. Thats not good, instead of pinting out all this you might bring out the advantages of SQL Server rather than saying that Oracle have many bugs and hence they release so many number of patches.

    Your statement “SQL Server is consistently more secure and much less prone to errors and bugs than Oracle DB” does show that you don’t want people to use Oracle.

    Its not because i dont like SQL, am a DBA, i use and treat both of them equally.

    Appreciate the others comments on this article.

    No offenses Mr. Pinal, i have gone thru many of your nice articles and never found anything more biasing than this one.

    I am sorry if i said something wrong.

    Thanks.
    Vicky

  7. Mate i agree you know sql..But do you know how easily xp is hackable..so security this is a major loose poinT ..I know there are lot of your family members who claim to think that sql is better than oracle..But let see first thing ur os…a maor weak point..sql does it run in unix no….so it is not a secure database…all major database administrators use unix..have to know..unix..and you know all other dbas those who dont use unix are all baby dba…
    Unix is powerful,stable ,shell script damm powerful…
    \

    Windows are for babies…and ur family members.

  8. Being working in an environment where I work with both SQL Server and Oracle, I’ve to say Oracle is full of bugs. I’ve far more worse experience with Oracle than SQL Server.

    Oracle patching process is a nightmare. The support guys don’t know what they’re talking about.

    There was this ASM bug which reboot a server(10g RAC node) at random times. They provided a workaround(procedure to execute at every hour through job) but when it came to providing a patch they asked to upgrade to 11g because the patch is not available for 10g.

    Right.

  9. One of the reasons there are more vulnerabilities reported against Oracle databases is that it makes a much more attractive target … far more of the most attractive data for potential attackers resides in Oracle databases than in SQL Server … I don’t know the latest numbers, but I’ve worked in numerous large financial institutions in more than 20 years in the industry and the mission critical financial data in every case was stored on Oracle (or in a few cases DB2 where IBM mainframes came into play). Microsoft zealots have long complained that the number of security vulnerabilities on Windows was unfairly criticized simply because far more people had Windows installed than other desktop operating systems so I find it a bit ironic that a variation of the same argument is now being used (not just here but in a number of other places) to assert that SQL Server is more secure. Given Microsoft’s security record across all of their other products over a long period of time, it would take a lot more than this to convince me that SQL Server is more secure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s