Last week, I revealed the SQL Slammer worm as a symptom of a larger problem: Many SQL Server professionals aren't promptly applying service packs and hotfixes. After exploring the many reasons contributing to this problem and the level of responsibility a vendor such as Microsoft has in making it easier to apply patches, I shared reader suggestions about how Microsoft could help us stay current and secure. Rome wasn't built in a day, and I don't expect Microsoft to fully address this problem overnight. But I'd like to close this series of Slammer commentaries with a statement that Microsoft Vice President of SQL Server Gordon Mangione made during a keynote address at a recent SQL Server conference: "Success can't be measured by whether or not a patch had been released and was available to our customers. Success needs to be measured by whether or not our customers were affected."
You might think that Mangione just stated the obvious. But I doubt Microsoft would have expressed such a sentiment in the not-so-distant past. Not long ago, the company would likely have taken the "we had a patch, so it's not our fault" position. In fact, that's exactly the stand Microsoft initially adopted last year when a series of email viruses hit the world—before tremendous community pressure forced the company to reevaluate its commitment to security. So Mangione's simple statement reflects a big shift in Microsoft's policy toward supporting the enterprise market.
Of course, Microsoft officials can easily make such a statement, but nice words don't guarantee that anything is fixed or will be fixed soon. SQL Server Magazine UPDATE readers shared myriad reasons why trained DBAs chose not to apply SQL Server 2000 Service Pack 3 (SP3) or the patch that would have kept Slammer from spreading. Microsoft must address these problems and initiate an ongoing dialogue with the user community to understand the pain that DBAs experience as they try to keep their systems up-to-date and secure.
I suspect that Microsoft will make a valiant effort to address these needs, though not out of any noble or philanthropic desire. Instead, I'm giving Microsoft credit for recognizing that SQL Server will fail as an enterprise-class database platform unless the company fully addresses this problem. Microsoft's new Transaction Processing Performance Council (TPC) TPC-C benchmark scores, which beat any single-server scores ever published by Oracle or IBM (see "64-bit SQL Server Clocks Fastest 32-Way TPC-C Result" in the News and Views section below), should put questions about SQL Server's scalability to rest once and for all. But bet on Oracle and IBM to start beating the drum, "Sure it's fast, but you can't count on it."
Perception often trumps reality. In some ways, it doesn't matter whether or not SQL Server is trustworthy; it matters whether or not people believe that SQL Server is trustworthy. Microsoft doesn't want a Slammer repeat, but other attacks are almost guaranteed to happen unless the company makes it less painful for part-time and full-time DBAs to keep their SQL Servers patched and up-to-date. I'm trusting Microsoft to tackle this problem head-on—not because it's the right thing to do (which it is) but because failure to do so will doom SQL Server to second-class status. And too much money is at stake in the enterprise database market for Microsoft to sit idly by and let that happen.