A whole series of “speculative execution side-channel attacks” were disclosed in the first week of 2018, as detailed in this Microsoft article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Major security events like this highlight the severe risk companies are taking in running SQL Server 2005 and below. SQL Server 2005 is outside Microsoft extended support meaning you will not receive a patch for this security vulnerability or any other.
SQL Server 2008 and 2008 R2 exit extended support in July 2019. I know this seems a long time away (writing in January 2018), and you haven’t planned your 2018 summer holiday yet, but it will soon arrive. You need to add a backlog item to your Kanban board now to decide your next action:
- Do nothing (run an unsupported backend on the understanding you are vulnerable to any security flaws and are non-compliant)
- Upgrade in-place on-premises
- Upgrade to new hardware on-premises
- Migrate to Azure SQL Database (*)
- Migrate to Azure Managed Instance (*)
- Migrate to Azure VM
- Migrate to an alternative cloud provider
- Purchase SQL Server Premium Assurance to extend your support period
Another interesting point is the patches for SQL Server 2016 and 2017 were released 04/Jan/2018. At the time of writing this post on 10/Jan/2018, patches for SQL Server 2012 and 2014 have not yet appeared. Patching promptness, along with performance benefits and new features, might influence your decision if you’re considering an upgrade to SQL Server 2017.
The two items with an asterisk are known as fully-managed. Microsoft will take care of patching for you when you subscribe to such services. Automatic patching is one of some fantastic benefits I have written about before at How Vulnerable is Your Data? Stop Malware Attacks using Azure SQL Database. While hundreds of thousands of IT professionals spent their first week of 2018 staring at glum-faced executives in soulless meeting rooms deciding on a patching and testing strategy, consumers of Azure SQL Database were smoking a big fat cigar working on the next exciting feature to improve their app.
When comparing the cost of on-premises SQL Server licensing to a cloud alternative, items such as automatic patching should be factored into your total cost of ownership calculation. What is the real cost of managing your strategy to combat speculative execution side-channel attacks? Cost items include:
- Meetings to discuss patching strategy
- Documentation and communication
- Applying patch to the Operating System
- Applying patch to SQL Server
- Downtime
- Testing
- Loss of IT resources to work on revenue-generating features
Since we are discussing cost, staff recruitment and retention is also a very important consideration. If you purchase SQL Server Premium Assurance, you might attempt to recruit database talent in 2023 to work on SQL Server 2008. Supporting a 15-year-old technology will not make a very appealing job posting.
It is a great time to revisit the reasons you have not previously used cloud services to ensure they are still valid. If your preference is on-premises, an upgrade of unsupported or soon-to-be-unsupported versions of SQL Server should be your priority.
If you'd like some help with upgrading, consolidating or migrating to Azure, Coeo can assist you.