Laborious Updates Leave SQL Databases Unpatched

By Lisa Vaas  |  Posted 2003-02-03 Print this article Print

The patches that could have stopped last week's attack on Microsoft Corp. database software were so difficult to install or so poorly publicized that some of Microsoft's own database administrators failed to install them.

The patches that could have stopped last weeks attack on Microsoft Corp. database software were so difficult to install or so poorly publicized that some of Microsofts own database administrators failed to install them.

The Redmond, Wash., developer released last July patch MS02-039 to fix a known vulnerability in its SQL Server database and wrapped it into Service Pack 3, which shipped only days before the SQL Slammer worm struck. However, many IT departments did not install the initial patch because installation could not be scripted.

Instead, DBAs were required to manually stop each instance of the software running in their organizations, rename or remove some files, and paste the patch files into various directories in each instance, according to Eric Schultze, director of research and development at security tool maker Shavlik Technologies LLC, in Minneapolis.

Some users didnt know they needed to install the patch, particularly those using Microsoft applications that run a SQL variant called Microsoft Desktop Engine, said Schultze, a former member of Microsofts Trustworthy Computing team.

Because of the original patchs installation difficulties, many time-strapped DBAs didnt bother with it. The primary reason that the University of Minnesota at Crookston didnt load the patch was the laborious installation, said Don Medal, director of computer services at the college. "My sense is that its only with Service Pack 3 that it became easy to install," Medal said.

Microsoft did release in November a patch that automatically installed itself, but it was given only to customers who contacted Product Support Services, Microsoft spokeswoman Sarah Wiley said. Microsoft officials acknowledged that some instances of SQL Server in their company were not patched. Some were left that way on purpose to test customer configurations, said Wiley, but others were not patched because of time management issues or simple oversight.

"We struggle with the same issues as the rest of the industry," Wiley said. "Individuals make patch deployment decisions based on a variety of reasons, such as time management or simply oversight."

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel