Security Overhaul to Postpone SQL Server

Top-to-bottom code review delays beta version of 'Yukon'.

Built-in security development is at the heart of a delay of a major Microsoft Corp. database upgrade.

An upgrade to SQL Server, code-named Yukon, will be delayed from late this year to early next year, said company officials here last week, to build more security features into the database. According to the officials, Microsoft pulled its 1,000-person development team off the latest SQL Server database earlier this year to focus solely on security for three months.

SQL Server users said Microsofts new focus on security is much-needed, as databases are increasingly open to users outside a companys firewall through the Web. SQL Server has become a common target for hackers because of its increasing use, particularly among smaller companies that might lack in-house security expertise, said Ron Talmage, an independent SQL Server consultant and owner of Prospice LLC, in Seattle. "[Microsoft] didnt have any choice but to focus on security," Talmage said. "Its no longer just an irritation; its a necessity."

"Im glad Microsoft is taking a renewed look at security before it deploys things because that makes it more bulletproof before it gets to us," said Mike Reagin, director of research and development at Providence Health System, in Portland, Ore.

Reagin, who uses databases from Microsoft and Oracle Corp., said SQL Server, with its deeper integration with Windows, is more open to vulnerabilities. However, Providence is increasing its deployment of SQL Server because of the products ease of use and integration with the .Net development environment.

Added to the database are enhancements to the setting of administrator passwords and row-level security to provide more granular user-access controls, officials said. With row-level security, Yukon will extend beyond its current column- and table-level security to let administrators define what level of access users have down to the row.

The impetus for the security review, in addition to Microsofts companywide Trustworthy Computing push, was a rise in the number of reports on SQL Server security holes that Microsoft was receiving, officials said. Microsoft released three patches for SQL Server 2000 last year, but the company has released eight so far this year.

The work, begun in mid-March, included a review of all 5 million lines of SQL Server code and security training for developers and testers.

Despite the delay of the Yukon beta, the program remains on track for general availability next year, said SQL Server Vice President Gordon Mangione. "What we were doing [with] knee-jerk reactions werent going to work," Mangione said. "It was three months of absolute dedicated time on [security], and that did impact the Yukon schedule, and it was an easy decision to make. Whats happened more than anything is we looked at our processes from end to end and made sure that this has to be part of what we do [with] every code review, every build."

As the Microsoft database proliferates, Providence Healths Reagin said he is concerned that installing security fixes will become harder and time-consuming. To help ease patch deployments, officials said, Microsoft plans to launch by years end a Quick Fix Engineering installer to help automate extensive patches that can include fixing security holes.