Security Overhaul to Postpone SQL Server

By Matthew Hicks  |  Posted 2002-09-02 Print this article Print

Top-to-bottom code review delays beta version of 'Yukon'.

Built-in security development is at the heart of a delay of a major Microsoft Corp. database upgrade.

An upgrade to SQL Server, code-named Yukon, will be delayed from late this year to early next year, said company officials here last week, to build more security features into the database. According to the officials, Microsoft pulled its 1,000-person development team off the latest SQL Server database earlier this year to focus solely on security for three months.

SQL Server users said Microsofts new focus on security is much-needed, as databases are increasingly open to users outside a companys firewall through the Web. SQL Server has become a common target for hackers because of its increasing use, particularly among smaller companies that might lack in-house security expertise, said Ron Talmage, an independent SQL Server consultant and owner of Prospice LLC, in Seattle. "[Microsoft] didnt have any choice but to focus on security," Talmage said. "Its no longer just an irritation; its a necessity."

"Im glad Microsoft is taking a renewed look at security before it deploys things because that makes it more bulletproof before it gets to us," said Mike Reagin, director of research and development at Providence Health System, in Portland, Ore.

Reagin, who uses databases from Microsoft and Oracle Corp., said SQL Server, with its deeper integration with Windows, is more open to vulnerabilities. However, Providence is increasing its deployment of SQL Server because of the products ease of use and integration with the .Net development environment.

Added to the database are enhancements to the setting of administrator passwords and row-level security to provide more granular user-access controls, officials said. With row-level security, Yukon will extend beyond its current column- and table-level security to let administrators define what level of access users have down to the row.

The impetus for the security review, in addition to Microsofts companywide Trustworthy Computing push, was a rise in the number of reports on SQL Server security holes that Microsoft was receiving, officials said. Microsoft released three patches for SQL Server 2000 last year, but the company has released eight so far this year.

The work, begun in mid-March, included a review of all 5 million lines of SQL Server code and security training for developers and testers.

Despite the delay of the Yukon beta, the program remains on track for general availability next year, said SQL Server Vice President Gordon Mangione. "What we were doing [with] knee-jerk reactions werent going to work," Mangione said. "It was three months of absolute dedicated time on [security], and that did impact the Yukon schedule, and it was an easy decision to make. Whats happened more than anything is we looked at our processes from end to end and made sure that this has to be part of what we do [with] every code review, every build."

As the Microsoft database proliferates, Providence Healths Reagin said he is concerned that installing security fixes will become harder and time-consuming. To help ease patch deployments, officials said, Microsoft plans to launch by years end a Quick Fix Engineering installer to help automate extensive patches that can include fixing security holes.

Matthew Hicks As an online reporter for, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel