Yes, Some good points, Gail.
It is true that SQL Server 2008 provides some very good auditing facilities, and they're not bad in SQL Server 2005. However, the argument cuts both ways: It is obviously in Microsoft's interests to make that upgrade to 2008 as difficult to resist as possible, and in that light, the conspiracy theorists can argue that, if there was an opportunity to elucidate ways in which the users of prior versions of SQL Server can improve their auditability via a Transaction-log viewer, then Microsoft will sit on their hands. The increase in international rules for compliance are definitely a pressure point for those companies that are otherwise reluctant to upgrade. SQL Server 2008 makes compliance easier.
Whereas I'm an enthusiast of DDL triggers, I don't believe that data triggers are a good choice for auditing. They may be the best pragmatic solution for papering over the cracks in an existing application that cannot be re-engineered to be intrinsically auditable. I wouldn't even want to argue that triggers are a substitute for being able to view transaction logs, as they do nothing to solve the problems of retrospective 'forensic' audit in historical data.
It is true that the structure of the Log is likely to change, but the same is true of the behaviour of other 'implementation-specific', but supported, aspects of SQL Server. sp_MakeWebTask, for example? If the log changes within versions, as you suggest, it cannot be a significant change as the third-party log-rescue tools all work within versions.
The problem with leaving 'log rescue' to third party tools is that they don't fit easily into the commercial model of 'Try-before-buy'. You only need a tool like this in an emergency. Once the emergency is over, you don't want it. That's why SQL log Rescue is free (and up to SQL 2000 only!). It would be much better to make it part of the supported product.
One slightly scarey thought bothers me though: If the structure and processes of the transaction log were fully documented, then would it then be maliciously hacked? We'd then lose some confidence that we currently have that backups constitute 'evidence'.
Phil FactorSimple Talk