Laborious Updates Leave SQL Databases Unpatched

The patches that could have stopped last week's attack on Microsoft Corp. database software were so difficult to install or so poorly publicized that some of Microsoft's own database administrators failed to install them.

The patches that could have stopped last weeks attack on Microsoft Corp. database software were so difficult to install or so poorly publicized that some of Microsofts own database administrators failed to install them.

The Redmond, Wash., developer released last July patch MS02-039 to fix a known vulnerability in its SQL Server database and wrapped it into Service Pack 3, which shipped only days before the SQL Slammer worm struck. However, many IT departments did not install the initial patch because installation could not be scripted.

Instead, DBAs were required to manually stop each instance of the software running in their organizations, rename or remove some files, and paste the patch files into various directories in each instance, according to Eric Schultze, director of research and development at security tool maker Shavlik Technologies LLC, in Minneapolis.

Some users didnt know they needed to install the patch, particularly those using Microsoft applications that run a SQL variant called Microsoft Desktop Engine, said Schultze, a former member of Microsofts Trustworthy Computing team.

Because of the original patchs installation difficulties, many time-strapped DBAs didnt bother with it. The primary reason that the University of Minnesota at Crookston didnt load the patch was the laborious installation, said Don Medal, director of computer services at the college. "My sense is that its only with Service Pack 3 that it became easy to install," Medal said.

Microsoft did release in November a patch that automatically installed itself, but it was given only to customers who contacted Product Support Services, Microsoft spokeswoman Sarah Wiley said. Microsoft officials acknowledged that some instances of SQL Server in their company were not patched. Some were left that way on purpose to test customer configurations, said Wiley, but others were not patched because of time management issues or simple oversight.

"We struggle with the same issues as the rest of the industry," Wiley said. "Individuals make patch deployment decisions based on a variety of reasons, such as time management or simply oversight."

  • Read more articles by Lisa Vaas
  • Read more security stories