Microsoft Hustles to Disinfect SQL Server

Updates tools that help users determine if they're vulnerable to SQL slammer.

Microsoft Corp. continues to scramble to plug vulnerabilities in its SQL Server database that were exploited by the SQL Slammer worm last month.

The company early this month released new versions of tools designed to help SQL Server users figure out whether they are at risk. In addition, the company planned to put out a third version of the tools as early as late last week.

The three tools, which are available on Microsofts Web site, are: SQL Scan, SQL Check and SQL Critical Update. The first tool scans individual computers, Windows domains or IP address ranges for instances of SQL Server 2000 and MSDE (Microsoft Desktop Engine) 2000, identifying instances that may be vulnerable to Slammer. SQL Scan runs on Windows NT 4.0, Windows 2000 or Windows XP.

SQL Check also scans computers for instances of SQL Server 2000 and MSDE 2000, stopping and disabling SQL Server and SQL Agent services, but on Windows 98 and Windows ME, it does not stop vulnerable instances. SQL Critical Update scans computers for vulnerable instances and automatically updates affected files. It doesnt run on Windows 95, Windows 98 or Windows ME.

The most important upgrade to all three tools is that interfaces will give users a clearer idea of whats going on, according to SQL Server Product Manager Sheryl Tullis. With the earlier version, it was "a little difficult" to tell when the patch was done installing, Tullis said.

In addition, Microsoft clarified error message language so that users will have less confusing instructions to follow, said Tullis, in Redmond, Wash. Microsoft also plans to address Windows 98 and ME in Versions 2 and 3 of the tools.

Version 3 was to be geared to small-business users and those who have MSDE on their systems but arent database administrators and therefore dont know how to install patches, Tullis said.

This attempt to address the laborious installation process of SQL Server patches is the latest of a few similar moves for Microsoft, which addressed the problem by releasing an automatic installation version of the patch the weekend in January when Slammer first struck. Version 3 of the tools will have an interface customized for non-DBAs lack of experience with patch installation, Tullis said.

Users of the tools first versions said they welcome Microsofts tweaking of the interfaces.

"It will help us, definitely," said Don Medal, network engineer at the University of Minnesota at Crookstons Computing Services department. "Any improvements there would be helpful. I wouldnt say [the tools first versions] were done with the interface getting a high priority."

Microsoft last July issued a patch for the vulnerabilities Slammer exploited. It rolled up that patch in SQL Server 2000 Service Pack 3, which was released days before Slammer struck.

Because of the original patchs installation difficulties, many time-strapped DBAs didnt bother with it. The primary reason that Medals staff didnt load the patch was the laborious installation, he said. "My sense is that its only with Service Pack 3 that it became easy to install," Medal said.

Microsoft has long-term plans to address Slammer. They include rereleasing SQL Server 2000 packaged with Service Pack 3 already installed.

"We dont want any confusion about where we want customers to be—current users or future users," Tullis said. "Anybody who buys SQL Server 2000 will have SP3 right out of the box."

It will take "several months" before the duo are packaged, Tullis said.