Microsoft is beating Oracle hands down with the security of its database, according to a new report. 

David Litchfield, a security researcher with NGS Software, published a whitepaper entitled Which database is more secure? Oracle vs. Microsoft (PDF download) on 21 November comparing the number of software vulnerabilities patched by both vendors in their respective products in the past six years. 

Microsoft patched 59 vulnerabilities in its SQL Server 7, 2000 and 2005 databases during the period, while Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases.

The research also pointed out that Microsoft has not issued a single security bulletin for its databases since mid-2003, whereas Oracle has seen a spike in patches in recent years.

Litchfield ranked Microsoft SQL Server 2000 service pack 4 as the most secure database in the market, together with the PostgreSQL open source project. He ranked Oracle's 10g database at the bottom. 

"It will take me five minutes to find a new bug in the Oracle 10g database, but I cannot do that with SQL Server 2005," Litchfield told vnunet.com in an interview. 

Litchfield claims to have reported 49 vulnerabilities to Oracle that the company has yet to patch.

Other researchers are sitting on dozens of so-called zero-day vulnerabilities, including security firm Argeniss which plans to have a Week of Oracle Database Bugs in December to demonstrate the vendor's poor security record. 

Litchfield's report deals another blow to Oracle. Analyst firm Enterprise Strategy Group (ESG) published a research note earlier this month blasting Oracle's security record, drawing largely the same conclusions.

The ESG report, Microsoft SQL Server Runs the Security Table, (PDF download) attracted criticism, however, prompting Litchfield to publish his whitepaper.