Oracle Has More Flaws Than SQL Server

jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"

translation

[User 956]

Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'

Oracle's response in english: Clearly you have no idea what you're doing, because your results showed us in a poor light. Perhaps you'd like to try again. We have a bag of money for you.

Re:translation

[HairyCanary]

I tend to agree. But Oracle does have a point. Trying to distill a security argument down to number of bugs is oversimplifying. The severity of the bugs, how easy they are to exploit, etc are all important to consider. Even more important in my opinion is how quick the vendor is at fixing them. If Oracle's average time to fix was 24 hours compared to six months for Microsoft, the 4:1 bug ratio is not such a big deal.

Re:translation

[SatanicPuppy]

It's typical MS fud. They LOVE to harp on how many bugs their competition has, but there is a hell of a lot more to it than quantity. Slammer [symantec.com] anyone?

Oracle is a huge robust database with lots of extremely security conscious clients. A high number of reported bugs and fixes shows that they're executing due diligence, and working to keep their system as secure as possible. MSSQL's low number of bugs suggests that Microsoft isn't digging hard into their code, but only waiting for big public flaws.

They used the same argument in claiming that IE was less buggy than Firefox (see this crappy article [informationweek.com]) and it's just as untrue in this case.
 

Re:translation

[arivanov]

Oracle is also the database with the longest time to fix security bugs. I will simply quote the message from BUGTRAQ which is most relevant to this thread. It about says it all:
Thor (Hammer of God) wrote:
David Litchfield is one of the most predominant security researchers in the field, particularly in the area of database security. He and NGS have discovered more combined security vulnerabilities in leading DBMS products than anyone else in the world.
Given this fact, I think that not only is it appropriate for David to give whatever opinions he chooses in his research, but that it is his opinions that actually give the research real, tangible, applicable value. With his indisputable status as an authority on database security and his unwavering integrity, I have no problem whatsoever in considering Dave's opinions to be "fact."
Actually the whole discussion on BUGTRAQ is definitely worth reading. By the way the vulnerability behind Slammer was discovered by guess who - David Litchfield.

Re:

[Anonymous Coward]

Slammer anyone?

The slammer worm was released in 2003, and affected a vulnerability that had been patched eight months prior. The last discovered vulnerability for SQL 2000 was in January 2004.

A high number of reported bugs and fixes shows that they're executing due diligence, and working to keep their system as secure as possible.

heh. You used Oracle and Due Diligence in the same sentence.

MSSQL's low number of bugs suggests that Microsoft isn't digging hard into their code, but only waiting for big public flaws.

Possibly. There is another possible reason for the low number of discovered flaws, but I don't think you want to hear that one.

Re:

[drinkypoo]

MSSQL came from Sybase 10, which was a quite excellent database with a much better reputation than Oracle at the time. It didn't scale as well, but it was quite a bit faster on mid-size data sets. If this is the one division in Microsoft that's employing people who actually fix bugs, I'd say this is an entirely credible report. Given what a PITA Oracle is in general, it's not even unlikely.

Re:translation

[Anonymous Coward]

I'm not an oracle person, but from my understanding oracle allows you to have finer grained security on data, stored procedures and so on than sql server. Perhaps the complexity of oracle compared to sql server is part of the reason there are more bugs.

Lets face it, a bug report can be anything from a misspelled error message to a gaping sa/root/admin (whatever oracle calls it) compromise.

Severity is important. For instance, most popular linux distros (minus gentoo) have quite a few security holes do to third party package inclusion. Often the holes are not severe, but they do make linux look artificially insecure compared to some other operating systems. If redhat pushed 90 updates a month at you and Microsoft only 35... well who looks less secure? How many were feature enhancements? How many did each vendor NOT include a fix for?

Disclaimer: My above reference to linux distros only includes bloated packages like redhat, suse, etc. Most people using these distros tend to do a "full install". I'm a mysql or sql server user whenever possible.

Often one could argue that smaller companies get less attention so a large number of vulnerabilities would indicate a very insecure product. Oracle is obviously smaller than microsoft as a whole. In this case, oracle gets a lot of attention as its used for large scale deployments as well as their *lovely* business practices.

Re:translation

[A_Non_Moose]

Lets face it, a bug report can be anything from a misspelled error message to a gaping sa/root/admin (whatever oracle calls it) compromise.

If that is the case, oracle's mgmt tools heavy reliance not only on java, but *specific* version of java
w/o updates I'm aware of, would explain a lot.

off the top of my head:
Input fields that don't register the first key press, menu item that don't redraw for some reason, refreshes and connection errors that require exit/relaunch.

Other frustrations like that, that aren't oracle's "fault" per se, but don't help the spec/check sheet for bugs.

Didn't RTFA (yet), but are those counted as bugs? I'd like to know.

Re:translation

[ZachPruckowski]

You're right. This survey is pretty messed up. I mean, we're comparing *bugs fixed*. Not bugs still open, or any measure of severity, or what got exploited, or any measure of turn-around time.

This is like saying that Fire Department A put out less fires than Fire Department B. That's nice, but what I really want to know is how long it took for the trucks to arrive, the size of the fires, and also if there are any houses that burned down before the Fire Department got there.

Re:

[The_Wilschon]

You might also want to know how many houses in the area are built like tinderboxes.

The bottom line is of course "Am I more likely to have a security problem while using Database A or while using Database B?" Perhaps some studies ought to be done to determine the relationship between measurable things like number of bugs, time to patch, etc, and various user's perception (or perhaps security pros' perception) of how many security problems were actually had. Then we'd be able to actually assign some sembl

Re:

[abradsn]

I agree, counting bugs is an oversimplification...

My biggest surprise here is that they only found/or reviewed less than a couple hundred bugs each. Strange, because I am sure that I can find more bugs than that in 4 days work on each product. This research can't be all that deep. I must be missing something???

Any normal QA person would be able to find that many bugs in 10 or 20 days.

If you offer a ton of additional features...

[emil]

...then it stands to reason that you will have a ton of additional bugs.

This argument in no way excuses Oracle for their timely patch cycle (or lack thereof), but may explain the higher number of patches.

I haven't looked at the Sybase/SQL Server family for awhile, but I assume that it still doesn't offer anything like Flashback, LogMiner, richer indexing, direct LGWR connection to DataGuard, resumable transactions, or even basic multiversioning.

Re:If you offer a ton of additional features...

[RevMike]

If you offer a ton of additional features...then it stands to reason that you will have a ton of additional bugs.

This argument in no way excuses Oracle for their timely patch cycle (or lack thereof), but may explain the higher number of patches.

It is also important that Oracle supports virtually any server platform in current use, while SQL Server only supports a small number of similar platforms. Back in 2001 I was still getting support for Oracle 7.0 on VAX/VMS! One get Oracle on Linux, AIX, Solaris, HP-UX, zOS, OS400, Windows, a variety of Alpha platforms, Itanium platforms, etc. And this isn't shallow level support. Oracle can utilize their own file systems, so they are going at the bare hardware on all these systems. Care to guess what that does to the QA cycle?

Oracle is the shiznit when it comes to high performance general database work. It will scale far beyond almost everything else, with DB2 a close #2. Niche players like TeraData have their place too, but only Oracle can scale across the entire enterprise.

Re:

[kpharmer]

> Oracle is the shiznit when it comes to high performance general database work. It will scale far beyond almost everything else,
> with DB2 a close #2. Niche players like TeraData have their place too, but only Oracle can scale across the entire enterprise.

Sure, if you're talking transactional systems (like airline reservations). But if you're talking about data warehousing, very large scale analytics - then db2 and teradata have the upper hand. Oracle's clustering is for failover, db2's clustering

Re:

[Doctor Memory]

Not to mention the fact that Oracle has optimized just about every function far beyond what can reasonably be maintained. The amount of special-case code scattered throughout the system means that fixing a bug requires that you test lots of odd-wad configurations and test loads. If the special case in the data loader that lets (say) Exxon-Mobil load a couple terabytes of data in three hours instead of a weekend introduces a new bug, do you think they'll honk off a major account or patch around it?

Plus con

Re:

[sbrown123]

Nahhh. You're making too much sense. To find an easier explanation, I just used the common excuse for defending the security holes and bugs in two popular Microsoft products: Internet Explorer and Windows. What you have to say is "more people use Oracle, so that is why there are more security holes and bugs".

Re:

[Bo'Bob'O]

My database program is far smaller, faster, cheaper, has ZERO bugs, and will never corrupt your data.. so long as your data is "Hello" and "World".

Re:

[drzhivago]

I didn't know that SQL Server 2005 was standard with Windows 2003 Server. When did they start bundling it?

Re:

[drinkypoo]

Oracle's response in English: We don't force bundle our product onto servers where it really shouldn't be in the first place.

Arguably every OS should come with an RDBMS and applications should make more use of it instead of depending on a broad assortment of different mini-databases like sqlite and such. There's nothing wrong with them on their own but with ten programs that each use them, I've effectively got ten copies of sqlite (tiny - not a big deal) which each may be of a different version (which i

Re:

[jedidiah]

>> Arguably every OS should come with an RDBMS...

There's no good reason that such a facility would be open to remote exploitation or even have a facility that could be set up in a remotely exploitable fashion.

Although this isn't about what your mother stores all of her recipes on. This is about what your bank stores your net worth on.

Re:

[drinkypoo]

If you look around, peek your head around and such, lots of banks aren't even running any Microsoft anything. Wells Fargo for example uses a Unix-based system with X Terminals at the teller windows. I sincerely doubt any bank worth mentioning is storing my data in MSSQL. (with all that said, my current bank uses windows PCs as terminals, because they are stupid.)

Re:

[Psiren]

Well, it's not a bank per se, but the London Stock Exchange recently converted to SQL Server. As far as I know, there have been no major problems. No doubt they had a team of Microsoft guys on site for months before they threw the switch, but then with a job that big you'd need to.

I'm going to assume a great deal of the bitterness towards SQL Server on here is just because it's Microsoft. However, it has its roots in Sybase, which when I used it several years back I found to be very good. We've not had any

Re:

[drinkypoo]

Actually I don't have much problem with SQL Server except that it has Microsoft's name on it and thus Can Not Be Trusted(tm). Anything that furthers the Microsoft attempt to dominate the world is Bad in my book. Ultimately my biggest complaint is that IMO nothing mission-critical should ever run on windows, and that's the only place you CAN run MSSQL.

Re:

[thsths]

> Arguably every OS should come with an RDBMS and applications should make more use of it instead of depending on a broad assortment of different mini-databases like sqlite and such. There's nothing wrong with them on their own but with ten programs that each use them, I've effectively got ten copies of sqlite

Try ubuntu. It comes with one version of sqlite (3.0), and every piece of software can use only this version. So from amarok to xine, they all use the *same* sqlite library. And you get security upd

Re:

[drinkypoo]

Well, I do use ubuntu on my personal laptop, but at work I am forced to use windows so it doesn't help me. (I'm also forced to use OSX, sigh. I'd rather windows.) And, if I download a binary (they're a lot rarer these days but they're still around) it won't help me.

Re:

[Lonewolf666]

Arguably every OS should come with an RDBMS and applications should make more use of it instead of depending on a broad assortment of different mini-databases like sqlite and such. There's nothing wrong with them on their own but with ten programs that each use them, I've effectively got ten copies of sqlite (tiny - not a big deal) which each may be of a different version (which is a big deal since some or all of them may have holes) instead of just having one database that gets updated, along with its clie

Re:

[Nocturnal Deviant]

XP quite good now? apparently "Patch Tuesday" isn't in your monthly things to do list.... or checking windows update every day.... and as to the google comment... if Microsoft wasn't worried about google(shocking realization i know) then why is microsoft finally changing their browsers, and msn search since google and firefox came around..? google: Latest Windows XP bugs http://www.google.com/search?hl=en&q=Latest+Window s+XP+bugs&btnG=Google+Search [google.com] ...OMGZ 51,500,000 results hey everyone just o

Re:

[pfdietz]

There was some work at Microsoft's research labs that came out in 2001 that's directly applicable to this thread: Don Slutz's work on massive stochastic testing of SQL systems. Basically, he generated random SQL queries and threw them at several database systems, looking for discrepancies and crashes. This kind of testing is disturbingly effective at finding weird bugs.

I would not be at all surprised if Microsoft has banks of servers do nothing but continuous randomized testing of their database product.

Summary title is vague

[ArcherB]

MSSQL is a SQL Server. MySQL is a SQL Server. Oracle is a SQL Server. Please be more specific and explain which SQL Server you are talking about.

Granted, the summary does explain that the article does indeed refer to MSSQL Server, but please stop calling it just SQL Server. MSSQL Server != SQL Server

(OK, I feel better. What is the moderation for RANT?)

Re:

[jimstapleton]

Actually, Microsoft's SQL Servier is the only one of the three that actually has "SQL Server" in it's name, or even as it's name.

Re:

[hey]

Yes, please don't let Microsoft own the name "SQL Server". It so wrong to say just "SQL Server"!

Re:

[stuktongue]

Butters, goddammit!

Re:

[hobo sapiens]

Microsoft just so happens to be so uncreative that they gave their DB server application a name that is merely a description. Calling it SQL Server is appropriate, since that is, after all, what it calls itself and as far as I know, is the de facto name for the software. Yes, it's a bit like calling a Web Browser WebBrowser. Blame MS for picking a nondescript name.

Re:

[M. Baranczak]

Microsoft just so happens to be so uncreative that they gave their DB server application a name that is merely a description.

Could have been worse... [apple.com]

Re:

[Surye]

Oh? [microsoft.com]

Re:

[entrylevel]

Or... *shudder*... eMail!

Re:Summary title is vague

[drinkypoo]

Actually, the name of the product is "Microsoft SQL Server". Still a stupid name but it's not just "SQL Server". Lazy techies are responsible for not using the full name, not that I blame them. What I want to know is how Microsoft managed to convince a court that the name of another product of theirs was actually "Windows" and not "Microsoft Windows" (look at the box sometime!) which forced all those other people to change their product names.

Re:

[jZnat]

I'm pretty sure the nesting in the trademarks is ((Microsoft)® Windows)® (at least in the US).

Re:

[John Hasler]

> What I want to know is how Microsoft managed to convince a court that the name
> of another product of theirs was actually "Windows" and not "Microsoft
> Windows"

They didn't. They were about to lose their suit against Lindows and with it the WINDOWS trademark when they ponied up enough cash to buy an out of court settlement.

Firefox Has More Flaws Than Web Browser?

[GodWasAnAlien]

NFS has More Flaws Than File Server?

yes, what exactly is the title talking about?

Re:

[ImaLamer]

Since the GP started this, I'll bite.

They are called context clues. "SQL Server" is used above as a proper noun, look at the usage: "than SQL Server".

It's not "than an SQL server", not "than other SQL Servers", just "than SQL Server".

If you don't know that they are talking about Microsoft's product, then you are not in the DB business, and the story wasn't intended for you. (Not to say you can't read it, in fact if you RTFA you will learn that SQL Server is a PROPER NOUN).

Re:

[Jamu]

Same thing with "%*$^ing piece of $^%* database". How can you tell if they are talking about MSSQL or Oracle?

Re:

[ferretworks]

Have to agree with the masses. Calling it SQL Server seems to only piss off the people who don't work with it. I don't call the Office suite Microsoft Office. It is just Office. Microsoft was clever in their naming schemes. If I am talking about a SQL server that is Oracle, I wouldn't refer to it as "Oracles SQL Server", nor would MySQL be "MySQL SQL Server".

That would just be silly.

So, your anger is Microsoft's gain. And every time you get angry at Microsoft, they kill a kitten.

Re:

[espressojim]

Or, you just call Oracle SQL Server "Oracle".

As in: Why is &#@*& Oracle ignoring my indexes and forcing a hash join on two 1M+ row tables AGAIN? GAAAAH!

People will know what you mean.

Re:

[Billly Gates]

Microsoft's marketing department uses active and positive verbs and nouns in naming their products so they appear to be better than the competition as well as the human brain memorizes mnuemics easily. Examples are, explorer, Word,Excel, access, active directory, and MS SQL Server. Microsoft's core customers are pretty clueless when it comes to technology and use their stuff to get work done. Using positive and active simple names that represent what they do does make a difference. If your thinking "SQL" s

Re:

[Blakey Rat]

(OK, I feel better. What is the moderation for RANT?)

-1, You know what he meant you pedantic ass

Re:

[ArcherB]

No, not really. MySQL [Community Server] is a database server that supports SQL. Oracle [Database] is a database server that supports SQL. MSSQL [Microsoft SQL Server] is a database server that supports SQL. The latter is often known simply as SQL Server.

I understand where it comes from, but SQL and SERVER are both industry terms, link ANSI, ASCII or C. When someone says a program is written in C, do we assume that it was written with Borland C? I just don't like the way MS trademarks generic names to try

Re:

[ArcherB]

Tell that to Lindows...er Linspire.

Oracle is more complex

[sitturat]

Anyone that has tried to read (or even tried to lift up) one of the oracle manuals knows that this is seriously feature-rich and complicated stuff. It would be more interesting to see how many bugs per line of code the two contenders have.

Re:

[MrScience]

SQL Server's documentation has gotten so large that they only ship it on-disc. 6.5 had 10lbs of books.

Oracle is right

[Josh Lindenmuth]

While the # of vulnerabilities is unacceptable, Oracle is right ... just comparing the # of bugs is not really valid. Now if Oracle has had more Severe security violations that Microsoft, it would be a different (and far more interesting) story. Oracle is still a more robust database, so one would expect there to be more bugs than another app with fewer modules and lines of code.

Re:

[gregmac]

Comparisons of number of bugs are NEVER fair. The situation is even worse in a closed-source environment, because we may never actually see all the bugs that get fixed. Even in open source, we sometimes fix bugs in the code with filing a report. Sometimes bugs are filed for a misspelling in the user interface. Sometimes 4 or 5 bugs are reported based on behaviour alone, and upon inspection, there's really one root problem (maybe even something simple) that's causing all of those bugs, so one fix goes in and

Re:

[Doctor Memory]

those who have experience sever [sic] problems are not doing something right

Like creating large tables with multiple indexes? SQL Server is infamous for corrupting data and indexes when things get too big for it to handle (tables over 500GB w/ 10+ indexes). There's a reason why big shops like to run DBCC CHECKDB once a week or so...

Stop counting flaws!

[91degrees]

The number of flaws doesn't matter. a slice of cheese has one flaw as a database. It isn't a database. This doesn't make it a better product.

Re:

[TLouden]

Well, I'd think the cheese is much less prone to security failures. Only physical access is going to have any affect and even then, nothing of value will come of it.

Re:

[gludington]

The number of flaws doesn't matter. a slice of cheese has one flaw as a database. It isn't a database. This doesn't make it a better product.

You are vastly oversimplifying, and clearly have not funded a study of the market. Cottage cheese passes an ACID test, and I hear that Swiss Cheese is full of holes.

Re:

[SScorpio]

You might want to consider redesigning your indexes if it's taking that long to run queries, or move it off the webserver/fileserver/mailserver/dbserver.

Re:

[SScorpio]

No, you'd have a database server but not one that's also your file server, mail server, and web server.

Check the data and the criteria before deciding

[Graabein]

and customers must take a number of factors into consideration

Not least the criteria for selecting and enumerating flaws, and any differences between those criteria for the two products. Not saying that there is a problem, just that any prospective customer needs to take this into consideration and check his facts.

This whole study reminds me of a couple of years ago, when someone decided to make a comparative list of security flaws between Windows and Linux. For the former, they only included official Microsoft security fixes. For the latter, they included just about every bug in every open source project known to man. Big surprise, Windows was found to have less flaws.

When it comes to security, trust no one. Especially not research firms, security "specialists" and people mouthing off about security on Slashdot.

Hey, waitaminute....

Reported AND fixed

[nels_tomlinson]

From the summary: ... compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006.

Reported and fixed means that the company which doesn't fix bugs looks more secure. Not that I'm implying that MS is worse than Oracle on this, mind you. I just wanted to point out that this metric has loads of potential flaws.

What, specifically, are those "bugs"?

[khasim]

Between December 2000 and November 2006, external researchers discovered 233 vulnerabilities in Oracle's products compared with 59 in Microsoft's SQL Server technology, according to NGSS. The study looked at vulnerabilities that were reported and fixed in SQL Server 7, 2000 and 2005 and Oracle's database Versions 8, 9 and 10g.

Let's see that again.

The study looked at vulnerabilities that were reported and fixed...

So, if it wasn't fixed, was it counted?

The results show that Microsoft's software development life-cycle processes appear to be working, he said.

Huh? Security is not about "software development life-cycle".

That's why you have almost daily updates of anti-virus software for Microsoft products.

In an e-mailed comment, an Oracle spokeswoman said the number of reported vulnerabilities in a product alone is not a measure of the overall security of that software.

Big time. One remote root vulnerability is worth 10,000 local app crash vulnerabilities.

"Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations as well as vulnerability remediation and disclosure policies and practices."

Yep. Because Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.

Remember, you can never count on a user applying a patch. Your system has to be as secure as possible in the default, unpatched, configuration.

Basing a product's security just on the number of vulnerabilities discovered and fixed may not be the best approach, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group.

Not only is it not "the best approach", it is a fucking idiotic approach only used by morons who have no understanding of what "security" is.

It's not the number of bugs. It's what access can be gained by that bug and how easily it is to invoke that bug in the various "standard" configurations.

Re:What, specifically, are those "bugs"?

[Rich0]

While I agree with 95% of what you said, I'd take issue with this:

Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.

Not all worms require open ports to spread - a worm might target a low-level kernel flaw in the network stack (remember the ping-of-death?).

Re:

[plumby]

And as far as I can tell, AVG is anti-virus software for Microsoft products.

It's not a Good Thing that this is necessary (which, I'm guessing, was GP's point - Microsoft, and its software development lifecycle, produces OSes that are so insecure that they require anti-virus tools to be updated daily).

If MS SQL Server only had one vulnerability

[thewils]

...and it was Slammer, you'd have to admit it was kind of a biggie.

More bugs fixed == less secure? Since when?

[Red Flayer]

... of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59.

Maybe it's just me, but wouldn't it be more important from a security standpoint to determine which had more bugs that were reported and not fixed? Or even which has more bugs that weren't reported (which is, of course, undefined, and therefore invalidates this ridiculous study)?

Or perhaps weight the severity of the bugs?

I'm bitter

More FUD

[coastwalker]

All code has bugs. How many of the bugs are important to the users?

Who cares?

They both sound like risky propositions

[tcopeland]

I think we'll stick with PostgreSQL [postgresql.org] for our little database [blogs.com].

David Litchfied

[Cally]

It should be pointed out that this is not just A.N. Random UK Software Co trying to flog product. This is David Litchfield, one of that small number of security researchers whose names and work any self-respecting infosec analyst should be familar. He's done a lot of really superb security work, including trashing several versions of SQL Server; so he knows whereof he speaks.

NGS have of course done work on SQL Server for Microsoft; I refer you to the brief and rather one-sided flamewar on Bugtraq/FD that erupted when this was pointed out... actually see for yourself [neohapsis.com]... (and here's the Bugtraq thread [neohapsis.com]). I predict this will deal with 75% of the "but this is nonsense, because..." posts ;)

He's got a lot of credibility. This is the point I'm trying to make :)

Re:

[geoffspear]

That's nice, but argument from authority doesn't work when the methodology used is clearly bogus. If Larry Ellison announced that MSSQL is more secure than Oracle and based that assertion on the number of bugs fixed in a given time period, I wouldn't trust him either.

Re:

[jedidiah]

If anything, the given thread demonstrates what any sensible person would expect: He's not a database expert. He managed to make a number of obvious errors and mischaracterized a number of non-RDBMS bugs and bugs from entirely other products as Oracle bugs.

Re:

[Bryansix]

The only thing informative about this post is that David Litchfied just went on my shitlist of people to ignore.

59 bugs reported and fixed...

[Ant P.]

x bugs reported and ignored, y bugs not reported at all and not fixed.

Re:

[element-o.p.]

And don't forget the z bugs reported but silently swept under the carpet in the hope that no one would discover them.

My experience

[truthsearch]

I worked extensively with Oracle and SQL Server for 10 years at 2 companies. I ran into bugs with both systems. There was a vast difference between how each company responded to our bug reports.

We never contacted Microsoft with anything but the most severe bugs, and only those not documented on their web site. Even having the highest contract possible with Microsoft, they charged us for each phone call. Never once did the first 3 people we talked to have a clue. After going through 3 or 4 people we got to speak to a developer. For every bug except one, we were told to wait for the next official patch or Service Pack to fix our issue. One time we were fortunate enough to have a DLL updated by a developer and sent to us directly. Response by developers was very quick, but the other staff responded slow.

At the same time, Oracle was paying out $10,000 for each bug found. I thought I found the golden ticket. Turns out someone else had reported this extremely obscure bug I found earlier, but it wasn't yet published online anywhere. Every time we contacted Oracle we got to speak to a developer very quickly. On at least one occassion they sent a developer to our office to help investigate a bug. Every bug we reported got a patch very quickly.

The support from Oracle was far far superior to Microsoft. The bugs I ran into with Oracle were also far more obscure than those I found in Microsoft's SQL Server. I couldn't believe some of the things Microsoft left broken for months. Even if Oracle has a larger number of reported bugs I'd pick them over Microsoft any day.

Re:

[ergo98]

Even having the highest contract possible with Microsoft, they charged us for each phone call.

Not only do even the basement support plans include free support calls, you are never charged if it's a bug in their product. So either you're a very poor communicator, a liar, or what you were calling about wasn't a bug at all.

Re:My experience

[anto]

Have you tried to call MS & log a 'support' call - more than once we have had to hand over the credit card no before the call will be forwarded on. Of course with the promise that if there was an issue they wouldn't charge it.

Oracle on the other hand request your support contract no (which they will actually look up for you) once you get past that really minor issue you never hear anything about money again. If you are unlucky enough to have a real bug that gets escalated you have the fun experience of hearing from someone from oracle every few hours - the calls seem to come from all over the world (based on accents etc)

More than once I have had a custom patch created for what to oracle must have seemed like a really minor bug.

Re:

[Duhavid]

Actually, it's "you are not charged, if Microsoft, in their judgment, decide that it was a bug in their product."

But you have to hand over the credit card *first*, as the other poster said.

Re:

[OriginalArlen]

Every bug we reported got a patch very quickly.

Wait, this is the same Oracle that silently fixes bugs three years after they've been reported?!

This study doesn't make SQL Server look good. It's security record is pretty average over the last couple of years, since the SDL stuff Litchfield mentions. (A comparison of MSSS with MySQL and PostgreSQL... now, that would be interesting.) Oracle are without doubt the worst so-called "Enterprise Software" vendor going today; their attitude is notorious. The fact that they make MS SQL server look good by compar

Re:

[swilver]

Oracle leaves stuff broken and calls it a feature, like treating the empty string as NULL. Or not providing standard 32-bit/64-bit numerical types which is incredibly annoying and short sighted as it means we now have to make sure that no numbers overflow somehow (either on our side or on Oracle's side, depending on how data is being updated) and cannot be stored safely into an 32 bit integer. Or imposing stupid limits that no other database imposes, like for example doing 200 INSERTs in a table which has

Re:

[truthsearch]

I realize you're trolling, but I'll respond anyway. At both companies the finance and legal departments managed the contracts, with the DBAs kept in the loop, so I don't know the details. I was told we had the highest level contract outside of government agencies.

I have personally stumbled across at least a dozen undocumented bugs in MS SQL Server and VB. Most of the VB ones (which I didn't report) turned up in the "Knowledge Base" eventually. Every initial call to Microsoft support required the submiss

Re:

[Shados]

Either that was a long time ago and policies changed ( I wasn't working with SQL Server 10 years ago), or you were being lied to about the support contract. A simple MSDN subscription or microsoft partnership gives you at least SOME free calls. I'd be guessing "the highest possible contract" would give quite a bit more...

Sounds more to me like it was the "highest possible contract" they could find on the web site, and that was a decade ago, or something along that line. I'd feel gipped if I was you :)

Re:

[dedazo]

ROFLMAO, that's rich. Well, here's another chance to mod me down as a "troll". Knock yourselves out.

In Oracle's (Pseudo) Defence...

[Randolpho]

... they are rather quick to quash and fix a discovered security bug. Yes, there's a reason why I used both words. Check out the aftermath of this example [thedailywtf.com] at The Daily WTF.

As much as I dislike Microsoft products

[Billly Gates]

MS SQL is a great product. Its their only product that has had years of uptime that I have only seen on Unix boxes and its easy to use and powerful. This also was back in the NT4 days which was quite impressive.

I think this study might not be as much fud as some are making it to be. Oracle is the kitchen sink and has many components such as development tools an d apis that come with their product. Microsoft has them as well but bundles them with MSDN and VS.net. So if you compare the development tools that

Yes it is complex to count flaws

[plopez]

Disregarding that what we have is *known or announced* flaws, Oracle may or may not be 'better' than SQL Server as:
1) Locking down SQL Server is much harder. It is easier to run Oracle as a restricted user than SQL Server, reducing vulnerability. SQL Server, if you want to use SQL Agent, replication or other high end functions requires you to elevate the privileges under which you must run it.

2) SQL Server is *much* more reliant on the underlying OS. Which means you may want to count at least some of the OS

More Flaws

[trongey]

I have more flaws than Oracle and SQL Server combined.

This just in

[mattwarden]

My left arm has more dead skin cells than my right index finger.

SQL Server

[nurb432]

That is the one product that microsoft 'got it right' with. Thou i dont agree with the new pricing structure of 05, when they hit the 2000 version it was actually a good product.

Not that im a MS fan, but i do give them credit when its due.

Where's the rest of the picture...

[urlgrey]

What about our friends from IBM with DB2 and our friends at MySQL and PostgreSQL?

I realize they're only comparing the two, but why?

That's a bit like only comparing BMW and Lincoln when comparing car brands for safety. Sure, it's useful to see one relative to the other, but removed from the overall marketplace, it's not a particularly useful comparison.

Re:Features? -- defend your answer!

[LordEd]

I use SQL Server 2005 at work and it's pathetic. Postgres is more useful!

How about defending your answer? What don't you like about SQL server 2005, and what do you like about Postgres that SQL Server 2005 does not provide for you.

So for from what i've seen in SQL Server 2005, it doesn't seem that bad. At work, we're experimenting with the new mirroring feature on some test servers.

Re:

[ergo98]

I use SQL Server 2005 at work and it's pathetic.

My spidey senses tell me that you've never actually used SQL Server at all.

Re:

[SageMusings]

I think he meant "MS Access".

Seriously, I wish people could come up with cogent arguments instead of "sux, half-assed implementation, or crashes all the time"

My organization uses SQL SERVER 2005 and we have had nothing but great success. I especially love the XML data type with schema binding. In my recollection, the only failures we have had was either hardware-based or DBA-error.

Cheers!

Re:

[molarmass192]

... not to mention that it's virtually impossible to lose data in an Oracle database. You can literally take a mish-mash of old backups from an Oracle db and have a solid chance of recovering your data if you run in archive log mode. I can't imagine anybody keeping data they give a damn about in MS-SQL, especially considering that it only runs on one of the most insecure OSes known to man. Yeah, Oracle is way too expensive and complex, but if you need your data available 99.999%, it's really does offer the

Re:

[Control Group]

How did this get modded "informative?" There's no actual information in the post, aside from a claim about "300 times as many useful analytical features," while providing no definition for "useful," much less anything like even a glimpse of what those "usefule analytical features" are.

Really, this post parses to: Product A is WAY better than brand X! Even product C is better than brand X!

I see claims like that in TV ads all the time; I'm not tempted to call them "informative."

Re:

[DragonWriter]

Just because there were more bugs reported and fixed in one product than another does not mean that product is more secure .

Actually, the argument here is because a product has less bugs reported and fixed, it is therefore more secure than one with less bugs reported and fixed.

That this metric is clearly bogus is, well, pretty obvious, since with two initially identical products, with the same bugs reported, the product which has the fewest bugs fixed will be rated "more secure".

Re:

[jimicus]

There are also a couple of minor issues which aren't mentioned:

1. If you're buying software rather than developing it yourself, the first question isn't "is the database secure?", it's "does this software solve my problem?".
2. If you are developing software yourself and you're concerned about security, you should be putting a firewall between the database server and the app server, and setting various standards in your development processes which say things like "all data will be checked before being pass

Agreed!

[FatSean]

SQL server has always been a second-rater in the big DB wars. DB2 and Oracle being the best. They should have stuck DB2 in there too...

Re:

[pestilence669]

While Oracle has more flaws it certainly is a much more complex product, so it stands to reason. Besides, Oracle vs. SQL Server is not a fair comparison at all. SQL Server is quite bare.

The "flaws" I've experienced with SQL Server either made my server crash or corrupted my databases to all hell. I've never had an Oracle server (or any other vendor's product) corrupt my tables, thank you very much. I think MS brought this "feature" over from their Jet / Access engine.

If you compare the severity of these fla

Re:

[IdleTime]

There is cruft in Oracle that dates back to the mid '80s and it's showing.

Oracle needs a through refactoring. They'll either do it under their own steam or the market will do it for them.

Well, no not really. There is old code in there, but it is not cruft, but well functioning code.

I'm also concerned about Oracle's development practices.

What? Can you explain what you mean because I have no idea what you are talking about.

Quality is continues to be poor for the first few releases of any new feature. Witness 10g EM; there are .nohup files lurking in (*nix) log directories. I find that astonishing.

Huh? What exactly war you talking about? Oracle does not store any files in standard *NIX log directories.

ASM won't be suitable for widespread use for two or three releases, 11xR2 or something. That should have been right on try #1 six or seven years ago.

Completly wrong. Thousands of customers are using ASM today and with great success. Please explain what the heck you are talking about.

Re:

[dedazo]

Microsoft and Sybase were working together on it, then Microsoft gave Sybase the boot as they usually do.

Microsoft and Sybase were not "working together" on anything. Microsoft bought the source code for the Sybase RDBMS engine core and a royalty-free license to do anything they wanted with it, including competing with Sybase.

Microsoft has added some features to SQL Server, but all in all, it is probably still very much a Sybase product at its core.

Yes, it hasn't changed at all since version 6.5. Just