SQL Yukon a major security concern

Users should hold off deploying Microsoft's next version of SQL Server until the first service pack because of major security concerns, analysts have warned.

Yukon, the company's next SQL release, is due next year, but analyst Gartner has said that it expects it to contain a high number of security flaws.

Based on the past record of Microsoft products that contain significant changes from previous releases, Gartner analyst John Pescatore has advised risk-averse enterprises to wait for at least the first service pack before deploying internet-exposed implementations of SQL Server.

"Early Yukon adopters that don't want to wait for this pack should enable the minimum number of operating system services required and monitor Computer Emergency Response Team alerts for any announced vulnerabilities," he said.

"After the Nimda worm decimated Windows-based web servers in 2001, Microsoft began more thoroughly to test its software products for security bugs.

"This effort, along with that of external security experts who found flaws Microsoft had not, exposed numerous serious security flaws in SQL Server and forced Microsoft to issue seven vulnerability alerts since April 2002.

"Gartner believes that, because Microsoft won't release Yukon until 2003, determining what production-worthy steps Microsoft will take to improve security will prove extremely difficult."

Pescatore predicted that most enterprises would not migrate applications to Yukon before mid to late 2004.

"Yukon is an important product for Microsoft. However, the company has not yet clearly stated whether it will redefine SQL Server's scalability and availability or redefine SQL Server as the definitive database management system [DBMS] to support Microsoft's operating system, application and development initiatives," he explained.

Gartner suggested that Yukon would be a "montage", with a number of scalability and availability features, but enough to let it compete with IBM and Oracle at the very high end of the DBMS market.

Yukon will probably also have a number of "hooks" to support Microsoft's applications, but they would not be likely to change the role of SQL Server in the DBMS market, added Pescatore.