The Push to Upgrade from SQL Server 2005

  • Comments posted to this topic are about the item The Push to Upgrade from SQL Server 2005

  • This is the only time I don't miss SQL Server. I am currently in an Oracle shop with few SQL Server instances dotted about the place so rarely get the opportunity to work with SQL Server at the moment.

    Good luck to all of you upgrading.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Gary Varga (2/12/2016)


    This is the only time I don't miss SQL Server. I am currently in an Oracle shop with few SQL Server instances dotted about the place so rarely get the opportunity to work with SQL Server at the moment.

    Good luck to all of you upgrading.

    We have mostly SQL Server databases and a few Oracle ones. I'll take a SQL Server upgrade over this Oracle upgrade any day.



    The opinions expressed herein are strictly personal and do not necessarily reflect the views or policies of my employer.

  • SQL Server is relatively easy to upgrade but unless there's a feature in a newer version that an organization really wants or they want to install/upgrade an application that uses SQL Server there's not much incentive to upgrade.

  • ZZartin (2/12/2016)


    SQL Server is relatively easy to upgrade but unless there's a feature in a newer version that an organization really wants or they want to install/upgrade an application that uses SQL Server there's not much incentive to upgrade.

    Particularly considering the expense of upgrading. We tried to get 2014 last year and got shot down by the bean counters.

    ____________
    Just my $0.02 from over here in the cheap seats of the peanut gallery - please adjust for inflation and/or your local currency.

  • You said April 12, 2016 as a date to be out of compliance, but didn't give any details on what makes that date important.

    Can you share more info & a link to a site from a government or regulatory body, something a CIO would take as a trusted source?

  • Tony++ (2/12/2016)


    You said April 12, 2016 as a date to be out of compliance, but didn't give any details on what makes that date important.

    Can you share more info & a link to a site from a government or regulatory body, something a CIO would take as a trusted source?

    That's the scheduled end of life for SQL Server 2005. https://www.microsoft.com/en-us/server-cloud/products/sql-server-2005/



    The opinions expressed herein are strictly personal and do not necessarily reflect the views or policies of my employer.

  • Is the implication that being on an unsupported platform is out of compliance? Is that written fact by a government or standards body, or a common interpretation by auditors?

  • Tony++ (2/12/2016)


    Is the implication that being on an unsupported platform is out of compliance? Is that written fact by a government or standards body, or a common interpretation by auditors?

    That I'm not sure about. In the past my company had a contract with another company that specified that we can't run any of their processes on unsupported software. I think Steve was talking about PCI and HIPAA regulations, which I don't have to deal with.



    The opinions expressed herein are strictly personal and do not necessarily reflect the views or policies of my employer.

  • Thanks for this info, Steve!!

    - webrunner

    -------------------
    A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
    Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html

  • This is ironic. Today we're upgrading that SQL 2005 instance I mentioned last week. In our case we're going to SQL 2012. (I don't know why they didn't go to SQL 2014, but oh well.)

    Anyway, back to it...

    Kindest Regards, Rod Connect with me on LinkedIn.

  • PCI Standards, section 5: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

    6.2 has been mentioned, but 6.1 notes you must install vendor patches. I have had auditors say that if the vendor no longer supports the software, and does not provide patches, then the software, and system, is out of compliance with PCI. I suppose you could argue that the standard does not say the software must be supported, but I'm not sure how that would go.

    There was a lot of discussion about this since WinXP was widely used in PCI environments. I suspect there are people running XP, but a number of auditing companies have said running unsupported software is automatic PCI failure.

    As with many things, YMMV. The rules do not specifically state this, and there is some argument that having a risk analysis and plan for dealing with issues is enough. However, I would suspect if this were to come to legal rulings, judges and juries would not look favorably on an organization choosing to run unsupported software, risking new security vulnerabilities being disclosed.

    HIPAA is similar. A company was fined for using XP: http://www.emrandhipaa.com/emr-and-hipaa/2014/12/11/firewall-windows-xp-hipaa-penalties/?utm_medium=email&utm_campaign=b4b4dfcebd-RSS_EMAIL_CAMPAIGN&utm_source=Healthcare+Scene&utm_term=0_4092230e89-b4b4dfcebd-61051725

    Regarding government agencies, it is probably dependent on your area, but I would bet this is a termination worthy practice if there are issues.

    Apr 12, 2016 is the day when extended support goes away. Most people don't have extended support, but MS provides security patches until this date.

  • LightVader (2/12/2016)


    Tony++ (2/12/2016)


    Is the implication that being on an unsupported platform is out of compliance? Is that written fact by a government or standards body, or a common interpretation by auditors?

    That I'm not sure about. In the past my company had a contract with another company that specified that we can't run any of their processes on unsupported software. I think Steve was talking about PCI and HIPAA regulations, which I don't have to deal with.

    PCI requirements tend to focus more on how the data is stored, accessed and transmitted not so much the specific technology. A credit card number encrypted with the proper level of encryption is equally secure regardless of what medium it's stored in.

  • What we need are a clique of popular MVPs to start applying negative peer pressure.

    "You're still using SQL Server 2000 and 2005??? Ew! Seriously.. dudes, that is like.. so totally gross." :doze::angry::blink:

    Ew Seriously So Gross

    https://www.youtube.com/watch?v=nzkhXMd1d3U

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Tony++ (2/12/2016)


    You said April 12, 2016 as a date to be out of compliance, but didn't give any details on what makes that date important.

    Can you share more info & a link to a site from a government or regulatory body, something a CIO would take as a trusted source?

    Here's something from the US government's Health and Human Services website:

    http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/acmhs/acmhsbulletin.pdf

    See the second paragraph.

    "Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software."

    -Tom

Viewing 15 posts - 1 through 15 (of 19 total)

You must be logged in to reply to this topic. Login to reply