Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Has More Flaws Than SQL Server

kdawson posted more than 7 years ago | from the nyah-nyah dept.

Databases 229

jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"

cancel ×

229 comments

Sorry! There are no comments related to the filter you selected.

translation (4, Funny)

User 956 (568564) | more than 7 years ago | (#17005582)

Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'

Oracle's response in english: Clearly you have no idea what you're doing, because your results showed us in a poor light. Perhaps you'd like to try again. We have a bag of money for you.

Re:translation (0)

Anonymous Coward | more than 7 years ago | (#17005622)

Lets face it, its just another crappy security company looking for some limelight.

The method is crap, the analysis is flawed and the conclusion a load of junk

Re:translation (4, Insightful)

HairyCanary (688865) | more than 7 years ago | (#17005668)

I tend to agree. But Oracle does have a point. Trying to distill a security argument down to number of bugs is oversimplifying. The severity of the bugs, how easy they are to exploit, etc are all important to consider. Even more important in my opinion is how quick the vendor is at fixing them. If Oracle's average time to fix was 24 hours compared to six months for Microsoft, the 4:1 bug ratio is not such a big deal.

Re:translation (4, Insightful)

SatanicPuppy (611928) | more than 7 years ago | (#17006024)

It's typical MS fud. They LOVE to harp on how many bugs their competition has, but there is a hell of a lot more to it than quantity. Slammer [symantec.com] anyone?

Oracle is a huge robust database with lots of extremely security conscious clients. A high number of reported bugs and fixes shows that they're executing due diligence, and working to keep their system as secure as possible. MSSQL's low number of bugs suggests that Microsoft isn't digging hard into their code, but only waiting for big public flaws.

They used the same argument in claiming that IE was less buggy than Firefox (see this crappy article [informationweek.com] ) and it's just as untrue in this case.
 

Re:translation (4, Informative)

arivanov (12034) | more than 7 years ago | (#17006278)

Oracle is also the database with the longest time to fix security bugs. I will simply quote the message from BUGTRAQ which is most relevant to this thread. It about says it all:
Thor (Hammer of God) wrote:
David Litchfield is one of the most predominant security researchers in the field, particularly in the area of database security. He and NGS have discovered more combined security vulnerabilities in leading DBMS products than anyone else in the world.
Given this fact, I think that not only is it appropriate for David to give whatever opinions he chooses in his research, but that it is his opinions that actually give the research real, tangible, applicable value. With his indisputable status as an authority on database security and his unwavering integrity, I have no problem whatsoever in considering Dave's opinions to be "fact."

Actually the whole discussion on BUGTRAQ is definitely worth reading. By the way the vulnerability behind Slammer was discovered by guess who - David Litchfield.

Re:translation (2, Interesting)

Anonymous Coward | more than 7 years ago | (#17006678)

Slammer anyone?
The slammer worm was released in 2003, and affected a vulnerability that had been patched eight months prior. The last discovered vulnerability for SQL 2000 was in January 2004.
A high number of reported bugs and fixes shows that they're executing due diligence, and working to keep their system as secure as possible.
heh. You used Oracle and Due Diligence in the same sentence.
MSSQL's low number of bugs suggests that Microsoft isn't digging hard into their code, but only waiting for big public flaws.
Possibly. There is another possible reason for the low number of discovered flaws, but I don't think you want to hear that one.

Re:translation (2, Insightful)

drinkypoo (153816) | more than 7 years ago | (#17006786)

MSSQL came from Sybase 10, which was a quite excellent database with a much better reputation than Oracle at the time. It didn't scale as well, but it was quite a bit faster on mid-size data sets. If this is the one division in Microsoft that's employing people who actually fix bugs, I'd say this is an entirely credible report. Given what a PITA Oracle is in general, it's not even unlikely.

Re:translation (0, Flamebait)

tbannist (230135) | more than 7 years ago | (#17007016)

Remember as long as Microsoft doesn't acklowedge the bug exists, it doesn't count!

Re:translation (5, Insightful)

Anonymous Coward | more than 7 years ago | (#17006072)

I'm not an oracle person, but from my understanding oracle allows you to have finer grained security on data, stored procedures and so on than sql server. Perhaps the complexity of oracle compared to sql server is part of the reason there are more bugs.

Lets face it, a bug report can be anything from a misspelled error message to a gaping sa/root/admin (whatever oracle calls it) compromise.

Severity is important. For instance, most popular linux distros (minus gentoo) have quite a few security holes do to third party package inclusion. Often the holes are not severe, but they do make linux look artificially insecure compared to some other operating systems. If redhat pushed 90 updates a month at you and Microsoft only 35... well who looks less secure? How many were feature enhancements? How many did each vendor NOT include a fix for?

Disclaimer: My above reference to linux distros only includes bloated packages like redhat, suse, etc. Most people using these distros tend to do a "full install". I'm a mysql or sql server user whenever possible.

Often one could argue that smaller companies get less attention so a large number of vulnerabilities would indicate a very insecure product. Oracle is obviously smaller than microsoft as a whole. In this case, oracle gets a lot of attention as its used for large scale deployments as well as their *lovely* business practices.

Re:translation (5, Insightful)

ZachPruckowski (918562) | more than 7 years ago | (#17006140)

You're right. This survey is pretty messed up. I mean, we're comparing *bugs fixed*. Not bugs still open, or any measure of severity, or what got exploited, or any measure of turn-around time.

This is like saying that Fire Department A put out less fires than Fire Department B. That's nice, but what I really want to know is how long it took for the trucks to arrive, the size of the fires, and also if there are any houses that burned down before the Fire Department got there.

Re:translation (0)

Anonymous Coward | more than 7 years ago | (#17006698)

wow, defending Oracle with nothing, not a very convincing argument. I don't know how the hell you pulled out that last sentence, "If Oracle's average time to fix was 24 hours compared to six months for Microsoft, the 4:1 bug ratio is not such a big deal.", yeah , I see that's IF, but it doesn't really contribute to the discussion of this particular summary now, does it? STAY ON TOPIC.

If you offer a ton of additional features... (2, Interesting)

emil (695) | more than 7 years ago | (#17006930)

...then it stands to reason that you will have a ton of additional bugs.

This argument in no way excuses Oracle for their timely patch cycle (or lack thereof), but may explain the higher number of patches.

I haven't looked at the Sybase/SQL Server family for awhile, but I assume that it still doesn't offer anything like Flashback, LogMiner, richer indexing, direct LGWR connection to DataGuard, resumable transactions, or even basic multiversioning.

Re:translation (0)

Anonymous Coward | more than 7 years ago | (#17005736)

more bugs fixed is not the same as more bugs

if anything my bet is less outstanding bugs

Re:translation (0, Troll)

jedidiah (1196) | more than 7 years ago | (#17005770)

Oracle's response in English: We don't force bundle our product onto servers where it really shouldn't be in the first place.

Insist on driving through the 'hood at midnight and you probably better be armed and armoured. Take the sensible approach and avoid doing this and you can likely skip the ablative armour and the AK-47. Microsoft likes to look for trouble. Most of their security problems stem from this.

Re:translation (2)

drzhivago (310144) | more than 7 years ago | (#17006164)

I didn't know that SQL Server 2005 was standard with Windows 2003 Server. When did they start bundling it?

Re:translation (1)

drinkypoo (153816) | more than 7 years ago | (#17006904)

Oracle's response in English: We don't force bundle our product onto servers where it really shouldn't be in the first place.

Arguably every OS should come with an RDBMS and applications should make more use of it instead of depending on a broad assortment of different mini-databases like sqlite and such. There's nothing wrong with them on their own but with ten programs that each use them, I've effectively got ten copies of sqlite (tiny - not a big deal) which each may be of a different version (which is a big deal since some or all of them may have holes) instead of just having one database that gets updated, along with its client libraries, every time a hole is found.

Insist on driving through the 'hood at midnight and you probably better be armed and armoured. Take the sensible approach and avoid doing this and you can likely skip the ablative armour and the AK-47. Microsoft likes to look for trouble. Most of their security problems stem from this.

My data might be in the hood, and I might have to go there to get it. In which case it's necessary for my RDBMS to be able to get there. Microsoft has many flaws, especially in the realms of security and freedom, but they do have quite a bit of versatility in terms of what you can run on, what you can run with, and what programs you can run. I can play DOS games, which originally used direct video memory access, on Windows XP in most cases - in fact, in many cases where Windows 9x games don't work because DirectX is less back-compatible than the OS :) As always there are both flaws and benefits to taking the Microsoft approach. I personally do feel that the drawbacks outweigh the benefits but that's a separate discussion.

In the really real world, Oracle is much more complex than MSSQL, which was originally based on Sybase 10, right before Sybase 11 came out. Even when that happened, sybase was more reliable than oracle in many ways, and faster on all but the largest data sets. I see no reason to believe that since those days, the quality of the Oracle code has improved more or been degraded less than the quality of the MSSQL code.

MS Labs Has No Equal (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17006048)

No one should be surprised by the fact that MS SQL is superior to Oracle DBMS. This situation is the direct result of Microsoft having the best-funded industrial laboratory in the world; the lab's annual budget is $7 billion [redmondmag.com] .

This lab works on boring but vitally important topics like security and proving that algorithms are correct. Microsoft Research has become what Bell Labs once was.

Microsoft Research is the only industrial lab that can convince well-paid tenured professors to quit their cushy academic job to join Microsoft. All this purchasing of brain power has paid off handsomely for Microsoft. Has anyone noticed the awesome reliability of the current generation of Microsoft products?

Windows 98, ME, and 95 were horribly unreliable. Yet, Windows XP is quite good. Now, MS SQL has proven to be quite reliable.

Windows Vista is so good that it will bankrupt several of the software utility companies that make anti-virus software.

Google is no match for Microsoft. The morons who bought Goog le at $500 per share will face a rude awakening.

Re:MS Labs Has No Equal (2, Insightful)

Nocturnal Deviant (974688) | more than 7 years ago | (#17006960)

XP quite good now? apparently "Patch Tuesday" isn't in your monthly things to do list.... or checking windows update every day.... and as to the google comment... if Microsoft wasn't worried about google(shocking realization i know) then why is microsoft finally changing their browsers, and msn search since google and firefox came around..? google: Latest Windows XP bugs http://www.google.com/search?hl=en&q=Latest+Window s+XP+bugs&btnG=Google+Search [google.com] ...OMGZ 51,500,000 results hey everyone just ordered my Kubuntu CD's I'm heading for the virtual hill's...in truth though I prefer Slackware. Back on topic though, I use MySQL, catching me using Oracle OR MSSQL, is a joke, with open source I don't have to scream and cry and throw chairs(reference http://www.theregister.co.uk/2005/09/05/chair_chuc king/ [theregister.co.uk] ) I can code my own fix 99% of the time before an official one is released.

Unbreakable? (0)

Anonymous Coward | more than 7 years ago | (#17005588)

Unbreakable? [sda-india.com]

?

Does this suprise anyome? (1)

zimm0who0net (900786) | more than 7 years ago | (#17005604)

Oracle has a million more configuration options than SQL Server. It only makes sense that there will therefore be many more bugs.

Re:Does this suprise anyome? (0)

Anonymous Coward | more than 7 years ago | (#17006108)

Oracle has a million more configuration options than SQL Server.

Oracle is also an ancient code base, with origins far older than contemporary use cases (extranet, n-tiers, etc.) There is cruft in Oracle that dates back to the mid '80s and it's showing.

Oracle needs a through refactoring. They'll either do it under their own steam or the market will do it for them. In the mean time they'll continue this sisyphean bug fixing of latent vulnerabilities, while smart DBAs mitigate the problem according to their own means.

I'm also concerned about Oracle's development practices. Quality is continues to be poor for the first few releases of any new feature. Witness 10g EM; there are .nohup files lurking in (*nix) log directories. I find that astonishing. ASM won't be suitable for widespread use for two or three releases, 11xR2 or something. That should have been right on try #1 six or seven years ago.

Re:Does this suprise anyome? (2, Interesting)

IdleTime (561841) | more than 7 years ago | (#17006374)

There is cruft in Oracle that dates back to the mid '80s and it's showing.

Oracle needs a through refactoring. They'll either do it under their own steam or the market will do it for them.
Well, no not really. There is old code in there, but it is not cruft, but well functioning code.
I'm also concerned about Oracle's development practices.
What? Can you explain what you mean because I have no idea what you are talking about.
Quality is continues to be poor for the first few releases of any new feature. Witness 10g EM; there are .nohup files lurking in (*nix) log directories. I find that astonishing.
Huh? What exactly war you talking about? Oracle does not store any files in standard *NIX log directories.
ASM won't be suitable for widespread use for two or three releases, 11xR2 or something. That should have been right on try #1 six or seven years ago.

Completly wrong. Thousands of customers are using ASM today and with great success. Please explain what the heck you are talking about.

Re:Does this suprise anyome? (2, Interesting)

pestilence669 (823950) | more than 7 years ago | (#17006554)

While Oracle has more flaws it certainly is a much more complex product, so it stands to reason. Besides, Oracle vs. SQL Server is not a fair comparison at all. SQL Server is quite bare.

The "flaws" I've experienced with SQL Server either made my server crash or corrupted my databases to all hell. I've never had an Oracle server (or any other vendor's product) corrupt my tables, thank you very much. I think MS brought this "feature" over from their Jet / Access engine.

If you compare the severity of these flaws, not their category, I think you'll find that SQL Server has many more *unrecoverable* flaws. That's been my experience with every version since 7.0.

Summary title is vague (5, Insightful)

ArcherB (796902) | more than 7 years ago | (#17005624)

MSSQL is a SQL Server. MySQL is a SQL Server. Oracle is a SQL Server. Please be more specific and explain which SQL Server you are talking about.

Granted, the summary does explain that the article does indeed refer to MSSQL Server, but please stop calling it just SQL Server. MSSQL Server != SQL Server

(OK, I feel better. What is the moderation for RANT?)

Re:Summary title is vague (1)

jimstapleton (999106) | more than 7 years ago | (#17005774)

Actually, Microsoft's SQL Servier is the only one of the three that actually has "SQL Server" in it's name, or even as it's name.

Re:Summary title is vague (1)

linuxmop (37039) | more than 7 years ago | (#17005784)

No, not really. MySQL [Community Server] is a database server that supports SQL. Oracle [Database] is a database server that supports SQL. MSSQL [Microsoft SQL Server] is a database server that supports SQL. The latter is often known simply as SQL Server.

Re:Summary title is vague (1)

hey (83763) | more than 7 years ago | (#17005806)

Yes, please don't let Microsoft own the name "SQL Server". It so wrong to say just "SQL Server"!

Re:Summary title is vague (1)

osee (944334) | more than 7 years ago | (#17006734)

[Slightly OT]
Yeah, and please don't let Red Hat own the name Linux.
I am sick of people posting about Linux 6.0 or whatever.

We can expect people to talk in precise terms, but it's not going to happen in the foreseeable future :-P
[/Slightly OT]

Re:Summary title is vague (2, Funny)

stuktongue (140376) | more than 7 years ago | (#17005888)

Butters, goddammit!

Re:Summary title is vague (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17005906)

...but please stop calling it just SQL Server

YES! I'm tired of ceding parts of the English language to Microsoft. How did Microsoft end up owning the word Windows, forcing Lindows and wxWindows to be renamed, when X-Windows has been around so long? If Microsoft can't be bothered with coming up with unique names for its products, don't let them take over common words by dropping the "Microsoft" from the name.

Re:Summary title is vague (0)

Anonymous Coward | more than 7 years ago | (#17005912)

I am sooooo happy that I'm not the only one who is hurt about the "SQL Server" thing...

Thanks!

Re:Summary title is vague (3, Informative)

hobo sapiens (893427) | more than 7 years ago | (#17006020)

Microsoft just so happens to be so uncreative that they gave their DB server application a name that is merely a description. Calling it SQL Server is appropriate, since that is, after all, what it calls itself and as far as I know, is the de facto name for the software. Yes, it's a bit like calling a Web Browser WebBrowser. Blame MS for picking a nondescript name.

Re:Summary title is vague (2, Funny)

M. Baranczak (726671) | more than 7 years ago | (#17006190)

Microsoft just so happens to be so uncreative that they gave their DB server application a name that is merely a description.
Could have been worse... [apple.com]

Re:Summary title is vague (1)

hobo sapiens (893427) | more than 7 years ago | (#17006210)

could have been worse still...it could have been called iMail or something equally repulsive.

Re:Summary title is vague (3, Interesting)

drinkypoo (153816) | more than 7 years ago | (#17006946)

Actually, the name of the product is "Microsoft SQL Server". Still a stupid name but it's not just "SQL Server". Lazy techies are responsible for not using the full name, not that I blame them. What I want to know is how Microsoft managed to convince a court that the name of another product of theirs was actually "Windows" and not "Microsoft Windows" (look at the box sometime!) which forced all those other people to change their product names.

Firefox Has More Flaws Than Web Browser? (1)

GodWasAnAlien (206300) | more than 7 years ago | (#17006044)

NFS has More Flaws Than File Server?

yes, what exactly is the title talking about?

Re:Firefox Has More Flaws Than Web Browser? (1)

ImaLamer (260199) | more than 7 years ago | (#17006714)

Since the GP started this, I'll bite.

They are called context clues. "SQL Server" is used above as a proper noun, look at the usage: "than SQL Server".

It's not "than an SQL server", not "than other SQL Servers", just "than SQL Server".

If you don't know that they are talking about Microsoft's product, then you are not in the DB business, and the story wasn't intended for you. (Not to say you can't read it, in fact if you RTFA you will learn that SQL Server is a PROPER NOUN).

Re:Summary title is vague (1)

Jamu (852752) | more than 7 years ago | (#17006180)

Same thing with "%*$^ing piece of $^%* database". How can you tell if they are talking about MSSQL or Oracle?

Re:Summary title is vague (1)

hclyff (925743) | more than 7 years ago | (#17006266)

Mozilla Firefox is shortened to just Firefox, Microsoft Windows to Windows and so on - it's just a product called "SQL Server" from a company called "Microsoft".

Also it's known as SQL Server to everyone who ever worked with it.

Re:Summary title is vague (2, Insightful)

ferretworks (317057) | more than 7 years ago | (#17006636)

Have to agree with the masses. Calling it SQL Server seems to only piss off the people who don't work with it. I don't call the Office suite Microsoft Office. It is just Office. Microsoft was clever in their naming schemes. If I am talking about a SQL server that is Oracle, I wouldn't refer to it as "Oracles SQL Server", nor would MySQL be "MySQL SQL Server".

That would just be silly.

So, your anger is Microsoft's gain. And every time you get angry at Microsoft, they kill a kitten.

Re:Summary title is vague (1)

Billly Gates (198444) | more than 7 years ago | (#17006704)

Microsoft's marketing department uses active and positive verbs and nouns in naming their products so they appear to be better than the competition as well as the human brain memorizes mnuemics easily. Examples are, explorer, Word,Excel, access, active directory, and MS SQL Server. Microsoft's core customers are pretty clueless when it comes to technology and use their stuff to get work done. Using positive and active simple names that represent what they do does make a difference. If your thinking "SQL" subconsciously when your wondering whether to purchase a database your brain will be more likely to remember "SQL" server first. Its great marketing

THe name is no different than the MS Word processor. Yes that is the name of the product but other word processors exist as well. So Microsoft calls it Microsoft SQL Server to show its theirs and what the product does.

And why (0, Flamebait)

El Lobo (994537) | more than 7 years ago | (#17005640)

And why did you expect it to be the other way? Because the two letters prefix? Biased.

Oracle is more complex (5, Insightful)

sitturat (550687) | more than 7 years ago | (#17005642)

Anyone that has tried to read (or even tried to lift up) one of the oracle manuals knows that this is seriously feature-rich and complicated stuff. It would be more interesting to see how many bugs per line of code the two contenders have.

Re:Oracle is more complex (1)

Nerdfest (867930) | more than 7 years ago | (#17005958)

Bugs per line of code is no more useful than plain old number of bugs ... which is basically what Oracle is saying. Number of bugs does not take severity, risk, etc into account. The article also only refers to the number of bugs _fixed_, not remaining.

but ... (2, Interesting)

kylie69 (921403) | more than 7 years ago | (#17005646)

what about IBM DB2?

Agreed! (1)

FatSean (18753) | more than 7 years ago | (#17006340)

SQL server has always been a second-rater in the big DB wars. DB2 and Oracle being the best. They should have stuck DB2 in there too...

Re:Agreed! (1)

TweakMe (909676) | more than 7 years ago | (#17007000)

Which DB2? All three?

Oracle is right (4, Insightful)

Josh Lindenmuth (1029922) | more than 7 years ago | (#17005652)

While the # of vulnerabilities is unacceptable, Oracle is right ... just comparing the # of bugs is not really valid. Now if Oracle has had more Severe security violations that Microsoft, it would be a different (and far more interesting) story. Oracle is still a more robust database, so one would expect there to be more bugs than another app with fewer modules and lines of code.

Re:Oracle is right (0, Insightful)

Anonymous Coward | more than 7 years ago | (#17006040)

Oracle is still a more robust database, so one would expect there to be more bugs than another app with fewer modules and lines of code.
Your definition of "robust" must be wildly different than mine. I tend to use Webster's definition, where "robust" means "capable of performing without failure under a wide range of conditions". Obviously, you seem to think that the more robust the software, the higher the bug count!

Re:Oracle is right (2, Insightful)

gregmac (629064) | more than 7 years ago | (#17006132)

Comparisons of number of bugs are NEVER fair. The situation is even worse in a closed-source environment, because we may never actually see all the bugs that get fixed. Even in open source, we sometimes fix bugs in the code with filing a report. Sometimes bugs are filed for a misspelling in the user interface. Sometimes 4 or 5 bugs are reported based on behaviour alone, and upon inspection, there's really one root problem (maybe even something simple) that's causing all of those bugs, so one fix goes in and 5 bugs get closed. Does that count as 1 bug or 5? Do these studies of # of bugs take that into consideration?

Even calling something "severe" or not is a judgement call. I've seen many times a bug filed as severe only to have a developer look at it and refile it as trivial.

On top of all of this, it's not hard to "game" this system to make your company/project look better. Just raise your standards for what can be classified as a major vs minor bug (eg, file everything a bit lower than it normally would be). This standard is going to be set differently by different management teams and companies, so it's already skewed to try to compare. Someone trying to look like they have fewer bugs may also ask their team to refrain from filing bugs if they can (kind of like factories do with workplace accidents - they have incentive systems for employees/supervisors, part of that "We've gone X days without an accident" thing.. what really happens, is employees won't report accidents if they can get away with it because then they lose their incentives). At another company, they may have a policy to file bugs for EVERYTHING, so every change to the code requires a bug/feature ticket. What happens when you compare the # of "bugs" in these two companies?

Re:Oracle is right (1)

itlurksbeneath (952654) | more than 7 years ago | (#17006590)

Agree. The RDBMS itself is a small part of the actuall delivered stack of code that delivers a wide range of functionality.

Plus.. Number of times MSSQL Server (a.k.a Sybase fork) has brought my larg organizations IT infrastructure to it's knees - 1. Number of times Oracle has done the same - 0. And we've been running Oracle a LOT longer (mid 80's, I think) than we have MSSQL Server.

Features? (0, Troll)

eluusive (642298) | more than 7 years ago | (#17005670)

Did they also mention that Oracle has 300 times as many useful analytical features as SQL Server? I use SQL Server 2005 at work and it's pathetic. Postgres is more useful!

Re:Features? -- defend your answer! (1)

LordEd (840443) | more than 7 years ago | (#17006056)

I use SQL Server 2005 at work and it's pathetic. Postgres is more useful!
How about defending your answer? What don't you like about SQL server 2005, and what do you like about Postgres that SQL Server 2005 does not provide for you.

So for from what i've seen in SQL Server 2005, it doesn't seem that bad. At work, we're experimenting with the new mirroring feature on some test servers.

Re:Features? (2, Insightful)

ergo98 (9391) | more than 7 years ago | (#17006262)

I use SQL Server 2005 at work and it's pathetic.

My spidey senses tell me that you've never actually used SQL Server at all.

Re:Features? (1)

molarmass192 (608071) | more than 7 years ago | (#17006838)

... not to mention that it's virtually impossible to lose data in an Oracle database. You can literally take a mish-mash of old backups from an Oracle db and have a solid chance of recovering your data if you run in archive log mode. I can't imagine anybody keeping data they give a damn about in MS-SQL, especially considering that it only runs on one of the most insecure OSes known to man. Yeah, Oracle is way too expensive and complex, but if you need your data available 99.999%, it's really does offer the best guarantee of meeting that availability.

Re:Features? (1)

Control Group (105494) | more than 7 years ago | (#17006878)

How did this get modded "informative?" There's no actual information in the post, aside from a claim about "300 times as many useful analytical features," while providing no definition for "useful," much less anything like even a glimpse of what those "usefule analytical features" are.

Really, this post parses to: Product A is WAY better than brand X! Even product C is better than brand X!

I see claims like that in TV ads all the time; I'm not tempted to call them "informative."

Stop counting flaws! (5, Funny)

91degrees (207121) | more than 7 years ago | (#17005676)

The number of flaws doesn't matter. a slice of cheese has one flaw as a database. It isn't a database. This doesn't make it a better product.

I dunno about that (1, Insightful)

palladiate (1018086) | more than 7 years ago | (#17005978)

Have you ever USED MS-SQL? At least the cheese doesn't take 45 minutes to report what flavor it is under normal load conditions...

Re:I dunno about that (1)

SScorpio (595836) | more than 7 years ago | (#17006644)

You might want to consider redesigning your indexes if it's taking that long to run queries, or move it off the webserver/fileserver/mailserver/dbserver.

Re:I dunno about that (1)

Dragonslicer (991472) | more than 7 years ago | (#17006902)

or move it off the... dbserver
Yeah, every competent DBA knows that you can't have your database on the database server.

Re:Stop counting flaws! (0)

Anonymous Coward | more than 7 years ago | (#17006632)

Reminds me of a totally offtopic thing one of my profs said. Something along the lines of:

"Be very skeptical of any tool that claims to be able to automatically fix bugs. Let's say I have a word processor. I will dictate the code to you in its entirety: int main, return 0. Give that to your tool, and tell it to fix any bug that causes it to deviate from the behavior of a word processor."

Check the data and the criteria before deciding (3, Funny)

Graabein (96715) | more than 7 years ago | (#17005696)

and customers must take a number of factors into consideration

Not least the criteria for selecting and enumerating flaws, and any differences between those criteria for the two products. Not saying that there is a problem, just that any prospective customer needs to take this into consideration and check his facts.

This whole study reminds me of a couple of years ago, when someone decided to make a comparative list of security flaws between Windows and Linux. For the former, they only included official Microsoft security fixes. For the latter, they included just about every bug in every open source project known to man. Big surprise, Windows was found to have less flaws.

When it comes to security, trust no one. Especially not research firms, security "specialists" and people mouthing off about security on Slashdot.

Hey, waitaminute....

Reported AND fixed (4, Interesting)

nels_tomlinson (106413) | more than 7 years ago | (#17005704)

From the summary: ... compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006.

Reported and fixed means that the company which doesn't fix bugs looks more secure. Not that I'm implying that MS is worse than Oracle on this, mind you. I just wanted to point out that this metric has loads of potential flaws.

What, specifically, are those "bugs"? (5, Insightful)

khasim (1285) | more than 7 years ago | (#17005740)

Between December 2000 and November 2006, external researchers discovered 233 vulnerabilities in Oracle's products compared with 59 in Microsoft's SQL Server technology, according to NGSS. The study looked at vulnerabilities that were reported and fixed in SQL Server 7, 2000 and 2005 and Oracle's database Versions 8, 9 and 10g.

Let's see that again.

The study looked at vulnerabilities that were reported and fixed...

So, if it wasn't fixed, was it counted?

The results show that Microsoft's software development life-cycle processes appear to be working, he said.

Huh? Security is not about "software development life-cycle".

That's why you have almost daily updates of anti-virus software for Microsoft products.

In an e-mailed comment, an Oracle spokeswoman said the number of reported vulnerabilities in a product alone is not a measure of the overall security of that software.

Big time. One remote root vulnerability is worth 10,000 local app crash vulnerabilities.

"Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations as well as vulnerability remediation and disclosure policies and practices."

Yep. Because Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.

Remember, you can never count on a user applying a patch. Your system has to be as secure as possible in the default, unpatched, configuration.

Basing a product's security just on the number of vulnerabilities discovered and fixed may not be the best approach, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group.

Not only is it not "the best approach", it is a fucking idiotic approach only used by morons who have no understanding of what "security" is.

It's not the number of bugs. It's what access can be gained by that bug and how easily it is to invoke that bug in the various "standard" configurations.

Re:What, specifically, are those "bugs"? (4, Insightful)

Rich0 (548339) | more than 7 years ago | (#17006240)

While I agree with 95% of what you said, I'd take issue with this:

Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.


Not all worms require open ports to spread - a worm might target a low-level kernel flaw in the network stack (remember the ping-of-death?).

Re:What, specifically, are those "bugs"? (1)

d3fault (934623) | more than 7 years ago | (#17006442)

Damn, you beat me to it. I blame CNBC for distracting me momentarily.

Re:What, specifically, are those "bugs"? (0)

Anonymous Coward | more than 7 years ago | (#17006312)

So, if it wasn't fixed, was it counted?
My understanding is that they counted both the number of bugs and the number of bugs that were fixed.
 
Huh? Security is not about "software development life-cycle".
Yes, yes it is in part. A well developed system which had accommodation for security from the get go is inherently more secure than a system with security 'hacks'.
 
Big time. One remote root vulnerability is worth 10,000 local app crash vulnerabilities.
Remember, you can never count on a user applying a patch. Your system has to be as secure as possible in the default, unpatched, configuration.
It's not the number of bugs. It's what access can be gained by that bug and how easily it is to invoke that bug in the various "standard" configurations.
They are a security firm; surely we can assume that they did more than just count the number of bugs without taking anything else into consideration? In any case, I trust their opinion more than I do some random slashdotter's.

Re:What, specifically, are those "bugs"? (1)

d3fault (934623) | more than 7 years ago | (#17006338)

Yep. Because Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.
I wouldn't say 100% resistant to worms. There could still be points of entry if all ports are closed. Doesn't mean it's vulnerable but still.

Re:What, specifically, are those "bugs"? (1)

odourpreventer (898853) | more than 7 years ago | (#17006772)

That's why you have almost daily updates of anti-virus software for Microsoft products.

And? AVG [grisoft.com] has almost daily updates too. It's a Good Thing.

Hold on there! (0, Redundant)

RemovableBait (885871) | more than 7 years ago | (#17005748)

To quote from the summary:
"compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006."
(emphasis mine)

Now, I'll admit I haven't yet RTFA, but I think we've pretty much been through this before.

Just because there were more bugs reported and fixed in one product than another does not mean that product is more secure . There could have been hundreds of reported but as-yet-unfixed bugs in one of the products that isn't included. One company could have a greater emphasis on patching, squashing more bugs than its competitor. There could be thousands of unreported, unfixed and unknown bugs in both products. Perhaps not all of these bugs are security flaws. One product may have less bugs, but all of them are security related and none of the competitor's are. Need I go on?

The point is that these comparisons are sensationalism. The same happens in the whole 'Number of Linux patches VS Number of Windows patches' and 'Firefox flaws VS IE flaws' arguments -- and we all know the real story with those.

Re:Hold on there! (1)

DragonWriter (970822) | more than 7 years ago | (#17006226)

Just because there were more bugs reported and fixed in one product than another does not mean that product is more secure .


Actually, the argument here is because a product has less bugs reported and fixed, it is therefore more secure than one with less bugs reported and fixed.

That this metric is clearly bogus is, well, pretty obvious, since with two initially identical products, with the same bugs reported, the product which has the fewest bugs fixed will be rated "more secure".

If MS SQL Server only had one vulnerability (2, Interesting)

thewils (463314) | more than 7 years ago | (#17005786)

...and it was Slammer, you'd have to admit it was kind of a biggie.

nail - head - smack! (0)

Anonymous Coward | more than 7 years ago | (#17006470)

remind me again - how many times has Oracle software been used to DOS the ENTIRE freaking internet?

Re:If MS SQL Server only had one vulnerability (0)

Anonymous Coward | more than 7 years ago | (#17006666)

..and it was Slammer, you'd have to admit it was kind of a biggie.

No, I wouldn't have to admit that. Oracle has [had] many remote vulnerabilities. The fact that so many SQL Server/MSDE instances were exposed on public gateways without firewalls had far more to do with Slammer's effects than anything else.

Oracle is generally not splattered about on DMZ hosts and random desktops. It's usually a tier or two behind an actual firewall. The behavior of MSSQL Server users made Slammer's effect on the Internet possible. If Oracle users had TNS listeners sprinkled willy-nilly on every second machine, the same thing would become inevitable.

More bugs fixed == less secure? Since when? (1)

Red Flayer (890720) | more than 7 years ago | (#17005802)

... of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59.
Maybe it's just me, but wouldn't it be more important from a security standpoint to determine which had more bugs that were reported and not fixed? Or even which has more bugs that weren't reported (which is, of course, undefined, and therefore invalidates this ridiculous study)?

Or perhaps weight the severity of the bugs?

I'm bitter today, but this mock-study is a joke, as are most security studies.

More FUD (2, Interesting)

coastwalker (307620) | more than 7 years ago | (#17005814)

All code has bugs. How many of the bugs are important to the users?

Who cares?

Re:More FUD (1)

hobo sapiens (893427) | more than 7 years ago | (#17006182)

I have been programming MSSQL and Oracle for about six years now, day in day out. I have never encountered a "bug" with MSSQL. I have encountered one bug with Oracle. Big deal. Work around it. One bug in six years is not a huge thing.

I suspect that these bugs pose more problems for DBAs/sysadmins than programmers/users. As far as I am concerned, neither one is buggy from the perspective of someone writing software that uses these databases as a back end.

Even if Oracle has more bugs, Oracle is faster and pl-sql is more powerful than T-SQL. That is what matters. A fast DB means a fast application. Oracle spanks MSSQL in terms of getting lots of data quickly. A good query on a well indexed Oracle table beats a good query on a well indexed MSSQL table in every instance that I have ever seen. No hard numbers, but that's according to years of hands on experience.

Re:More FUD (0)

Anonymous Coward | more than 7 years ago | (#17006558)

Have you seen the latest Ubuntu build? It's worlds better than Windows 95 - believe me I've tried both.

They both sound like risky propositions (1)

tcopeland (32225) | more than 7 years ago | (#17005816)

I think we'll stick with PostgreSQL [postgresql.org] for our little database [blogs.com] .

Who does mos of the meaninful transactions on-line (0)

Anonymous Coward | more than 7 years ago | (#17005826)

You tell me who does most of the meaningful transactions on-line, and I will tell you who's code is scrutinized harder. I don't know of many banks that use MS-SQL server as there back-end for transactions, and for that matter, how many large e-commerce sites use MS-SQL for there back-end? Very little I surmise.

David Litchfied (3, Informative)

Cally (10873) | more than 7 years ago | (#17005846)

It should be pointed out that this is not just A.N. Random UK Software Co trying to flog product. This is David Litchfield, one of that small number of security researchers whose names and work any self-respecting infosec analyst should be familar. He's done a lot of really superb security work, including trashing several versions of SQL Server; so he knows whereof he speaks.

NGS have of course done work on SQL Server for Microsoft; I refer you to the brief and rather one-sided flamewar on Bugtraq/FD that erupted when this was pointed out... actually see for yourself [neohapsis.com] ... (and here's the Bugtraq thread [neohapsis.com] ). I predict this will deal with 75% of the "but this is nonsense, because..." posts ;)

He's got a lot of credibility. This is the point I'm trying to make :)

Re:David Litchfied (2, Insightful)

geoffspear (692508) | more than 7 years ago | (#17006324)

That's nice, but argument from authority doesn't work when the methodology used is clearly bogus. If Larry Ellison announced that MSSQL is more secure than Oracle and based that assertion on the number of bugs fixed in a given time period, I wouldn't trust him either.

No Sh*t (0)

Anonymous Coward | more than 7 years ago | (#17006054)

should be from the "No Sh*t Sherlock" department

59 bugs reported and fixed... (3, Funny)

Ant P. (974313) | more than 7 years ago | (#17006060)

x bugs reported and ignored, y bugs not reported at all and not fixed.

Re:59 bugs reported and fixed... (1)

element-o.p. (939033) | more than 7 years ago | (#17006452)

And don't forget the z bugs reported but silently swept under the carpet in the hope that no one would discover them.

My experience (5, Informative)

truthsearch (249536) | more than 7 years ago | (#17006188)

I worked extensively with Oracle and SQL Server for 10 years at 2 companies. I ran into bugs with both systems. There was a vast difference between how each company responded to our bug reports.

We never contacted Microsoft with anything but the most severe bugs, and only those not documented on their web site. Even having the highest contract possible with Microsoft, they charged us for each phone call. Never once did the first 3 people we talked to have a clue. After going through 3 or 4 people we got to speak to a developer. For every bug except one, we were told to wait for the next official patch or Service Pack to fix our issue. One time we were fortunate enough to have a DLL updated by a developer and sent to us directly. Response by developers was very quick, but the other staff responded slow.

At the same time, Oracle was paying out $10,000 for each bug found. I thought I found the golden ticket. Turns out someone else had reported this extremely obscure bug I found earlier, but it wasn't yet published online anywhere. Every time we contacted Oracle we got to speak to a developer very quickly. On at least one occassion they sent a developer to our office to help investigate a bug. Every bug we reported got a patch very quickly.

The support from Oracle was far far superior to Microsoft. The bugs I ran into with Oracle were also far more obscure than those I found in Microsoft's SQL Server. I couldn't believe some of the things Microsoft left broken for months. Even if Oracle has a larger number of reported bugs I'd pick them over Microsoft any day.

Re:My experience (2, Informative)

ergo98 (9391) | more than 7 years ago | (#17006308)

Even having the highest contract possible with Microsoft, they charged us for each phone call.

Not only do even the basement support plans include free support calls, you are never charged if it's a bug in their product. So either you're a very poor communicator, a liar, or what you were calling about wasn't a bug at all.

Re:My experience (3, Insightful)

anto (41846) | more than 7 years ago | (#17006834)

Have you tried to call MS & log a 'support' call - more than once we have had to hand over the credit card no before the call will be forwarded on. Of course with the promise that if there was an issue they wouldn't charge it.

Oracle on the other hand request your support contract no (which they will actually look up for you) once you get past that really minor issue you never hear anything about money again. If you are unlucky enough to have a real bug that gets escalated you have the fun experience of hearing from someone from oracle every few hours - the calls seem to come from all over the world (based on accents etc)

More than once I have had a custom patch created for what to oracle must have seemed like a really minor bug.

Re:My experience (1)

aquatone282 (905179) | more than 7 years ago | (#17006726)

If you're not using your Super-secret Oracle Instant Support passkey, can I have it?

Please?

Re:My experience (1)

stinkbomb (238228) | more than 7 years ago | (#17006978)

Uh huh. And how much were the respective licenses for each product? Yeah. I thought so.

In Oracle's (Pseudo) Defence... (3, Interesting)

Randolpho (628485) | more than 7 years ago | (#17006220)

... they are rather quick to quash and fix a discovered security bug. Yes, there's a reason why I used both words. Check out the aftermath of this example [thedailywtf.com] at The Daily WTF.

You can thank Sybase (1)

MrDingDong (192786) | more than 7 years ago | (#17006248)

First of all, the product was originally Sybase SQL Server. Sybase named it SQL Server, not Microsoft. Microsoft and Sybase were working together on it, then Microsoft gave Sybase the boot as they usually do.

Sybase's current product is very solid, very reliable, and easy to use. It is a dream to work on compared to Oracle and I've worked on all three products.

Microsoft has added some features to SQL Server, but all in all, it is probably still very much a Sybase product at its core.

Re:You can thank Sybase (1)

Sezzler (467246) | more than 7 years ago | (#17006680)

Well, that was true in the early days, but MS recruited some pretty illustrious names prior to shipping version 7.0 - this was considered very much a rewrite. See Euan Garden's blog [msdn.com] for the detail.

But which one has had more patent infringements? (0)

Anonymous Coward | more than 7 years ago | (#17006344)

Seems like I remember MS having been sued a few years ago by a small company regarding some technology in MS SQL Server... Any such suits against Oracle?

Perhaps a key part of the wording... (1)

jamieswith (682838) | more than 7 years ago | (#17006462)

"Reported AND FIXED"

Doesnt that mean that SQL server could have had 1000 bugs reported during that period, but only 50 or so got fixed?

It might be just poorly worded, but if this really was the metric... it doesnt really mean anything about security, in-fact one could argue that the higher number is better (since more were fixed!)

A few issues with the report... (0)

Anonymous Coward | more than 7 years ago | (#17006608)

As a security practitioner, there are a few things that are wrong with this report:

The number of published vulnerabilities does not indicate how 'secure' a product of software is. In fact, CERT no longer allows its research numbers to be used in this way, as it is considered misleading.

Oracle has a different approach to security vulnerability reporting than MS does. Oracle follows the CVSS (Common Vulnerability Scoring System) to allow customers to determine the level of risk in _their_ environment, with _their_ configuration. MS does not follow CVSS.

Just for historical purposes, i looked to the NVD stats page (http://nvd.nist.gov/statistics.cfm) listed in the article. If you search for Oracle DB server 10gR2 in 2006, you only see 3 vulnerabilities listed. I can't see how the numbers can be accurate...

Also, let's not forget that MS has recently confirmed that they do 'silent fixing' by attempting to patch/fix multiple issues in patches, and they perform undocumented changes. Last I checked, all changes were available in the Critical Patch Updates from Oracle.

I do not pretend to stand for Oracle or MS either way, but, I do stand for a level evaluation - particuarly when it comes to security.
 

Re:A few issues with the report... (1)

blowdart (31458) | more than 7 years ago | (#17006882)

Just for historical purposes, i looked to the NVD stats page (http://nvd.nist.gov/statistics.cfm) listed in the article. If you search for Oracle DB server 10gR2 in 2006, you only see 3 vulnerabilities listed. I can't see how the numbers can be accurate...

If you were going to compare you should have also looked up Microsoft SQL server for 2006 when there were 0. You should note that MS SQL Server isn't broken down by versions either.

In other news . . . (1)

SSalvatore (666913) | more than 7 years ago | (#17006762)

both databases were reported to have more bugs than the Windows notepad.

Further studies also showed that the windows notepad was to be more difficult to use than pen & paper and that oranges have more juice than apples :)

ORLY? (1)

patrick0brien (615224) | more than 7 years ago | (#17006774)

Well gee, even if it were true, I'd still be forced to run SQL Server on frickin' Windows!

As much as I dislike Microsoft products (1)

Billly Gates (198444) | more than 7 years ago | (#17006810)

MS SQL is a great product. Its their only product that has had years of uptime that I have only seen on Unix boxes and its easy to use and powerful. This also was back in the NT4 days which was quite impressive.

I think this study might not be as much fud as some are making it to be. Oracle is the kitchen sink and has many components such as development tools an d apis that come with their product. Microsoft has them as well but bundles them with MSDN and VS.net. So if you compare the development tools that come with the database agaisnt just SQL Server and not their ADO.net and other .net tools then yes its an unfair comparison. I guess I need more details on the test to know what they tested.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>