Eight months after the SQL Slammer worm threw SQL Server database administrators into a tizzy, Microsoft Corp. is committing itself to providing semiautomatic updates that will patch holes in the enterprise database.
The Redmond, Wash., company began working on automatic patching immediately after Slammer struck in late January, according to SQL Server Group Product Manager Tom Rizzo. By exploiting known holes in the database for which patches were available, the worm brought the Internet to its knees as it generated billions of attacks on SQL Server installations.
Patching the process
Possible ways Microsoft could improve patch
Offer free CDs
Keep home users from clogging containing patches network
Increase the likelihood patches delivery and installation
will be installed
Source: Michael Cherry, Directions on Microsoft Inc.
Microsoft was criticized at the time for making installations of SQL Server patches too difficult or timeconsuming. The effort to smooth out the patching process is ongoing, with no end date in sight, Rizzo said.
Under consideration is an agent that will act in a similar manner to that of the bubble that pops up in Windows systems to alert users when updates are available. This agent contains links to a site that lists available patches for specific systems and gives users the opportunity to choose which patches they want to install.
If Microsoft decides to integrate such an agent, it would be available in the upcoming update of SQL Server, code-named Yukon. It would also work with SQL Server 2000 and possibly with SQL Server 7.0, Rizzo said.
The agent is not a guaranteed fix, Rizzo pointed out. Because SQL Server is a server as opposed to a desktop client, there might not always be a user sitting in front of a monitor. "There may be no one logged in to see that little window pop up in a lights-out environment," he said.
Read about the latest SQL Server worm.
The need for Microsoft to help users with patch management was reinforced by the Blaster worm last month that exploited Windows holes for which patches existed. Recently reported SQL Server worms such as Voyager Alpha Force also lie in wait to trip up those who dont follow best security practices.
User reaction to Microsofts automatic update efforts is mixed. Steve Foote, a consultant with Enswers Inc., in Cambridge, Mass., said users could flood Microsoft Web sites by updating en masse, and the service could be spoofed. "With security patches, you want a level of authentication between the agent doing the work and the site doing the downloading," Foote said. "You dont want anybody spoofing the URL to get you to pick up bogus patches."
The arguments didnt hold water with all users. Aaron Lipman, chief technology officer for Entertainment Earth Inc., in North Hollywood, Calif., said users dont all open their e-mail at the same time and wouldnt click on "update" at the same time, either. "In general, its a good idea," Lipman said, given the fact that DBAs have to be far more proactive in staying up-to-date with SQL Server than with Windows.Discuss this in the eWeek forum.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.