Please tell me we're better than Oracle. Please tell me that less than 11% of you have never patched your database server.
Who am I kidding? This is Microsoft software, of course you've patched your server. Heck, I bet half of you wouldn't even install SQL Server 2005 or SQL Server 2008 until you had SP1 on a disk right next to you so you could patch the instance before you did anything else.
I was reading an article this week about database security on the Dark Reading site and it referenced a poll from the Independent Oracle Users Group that said 26% of respondents take more than 6 months to patch their servers and 11% have never patched them. I had seen similar numbers a year or two ago, and I always wanted to follow up with people on the SQL Server side. Actually if anyone reading this runs a user group, do a poll of your member and let me know who hasn't patched a server.
I know that many people are overworked in today's corporations. It seems there's a never ending supply of things to do, and a huge demand that they get done, but a lack of resources. Those resources are DBAs and developers, and they're people with lives outside of work who let things slide so they can get home at a decent hour or not work all weekend.
The things they let slide? Patches, documentation, and other nuisance s that aren't usually checked on. Patches are especially a big thing to ignore since they cause downtime, which usually upsets all kinds of people and requires numerous approvals. Patches can also break things, which means more work, so if there was something to ignore, that is a big one.
Not patching your system usually doesn't cause a problem. Until it does cause a problem, and then it's a big problem. Patches aren't all about security, but many are.
I'm amazed how few security groups worry about database security, and how little most management teams emphasize security for databases. Getting the application working is way more important, and receives so much focus that protecting the information is ignored. The report linked in the article above (a separate download) starts out talking about banks and safes, and how they spend a lot of money protecting them because "that's where the money is."
Why don't we do the same for our jewels, our information?
Steve's Pick of the Week
Luck, Preparation, and Opportunity - From MVP Jonathan Kehayias, a great post. You make your own luck, primarily through hard work.
Note: I didn't do a podcast this week and I am thinking to discontinue the Database Weekly ones. They create a time crunch for me, and since I only do every 3rd or 4th Database Weekly editorial, they are very inconsistent. If you like the Database Weekly podcast and would like it to continue, let me know and I'll bring them back.