New Security Update for SQL Server in July 2019 Patches

It doesn’t look like this would affect SQL Server 2008 or SQL Server 2008 R2 since the earliest reported platform is SQL Server 2014, but in Microsoft’s release of patches today, SQL Server is included. Here’s the vulnerability:

CVE-2019-1068 | Microsoft SQL Server Remote Code Execution Vulnerability

It’s a remote code exploit, but the attacker has to be connected to SQL Server because the vulnerability can only be exploited using a specially crafted query. The code would execute in the context of the database engine service account (hopefully not configured to run with administrative rights on the server or elevated rights in Active Directory).

The Microsoft security announcement is here (this is the 2014 GDR link as there other links for other configurations):

Description of the security update for SQL Server 2014 SP3 GDR: July 9, 2019

Why do I mention SQL Server 2008 / 2008 R2? That’s because those versions are no longer under Extended Support and will not receive security updates. If you haven’t migrated, I’ve written an article at Simple Talk talking about your options.


Guidance on Moving Off of SQL Server 2008 and 2008 R2

July 9, 2019 will be here soon. With it comes the end of support, including security updates for SQL Server 2008 and SQL Server 2008 R2 unless you either migrate to Azure or enter into an agreement program with Microsoft. I know quite a few folks are facing this situation, so I wrote a guide covering why to migrate (other than regulatory) as well as what to do if you can’t, over at Simple Talk: The End of SQL Server 2008 and 2008 R2 Extended Support.

Amazon’s Concept of Ownership and Technical Debt

I’m reading Think Like Amazon: 50 1/2 Ideas to Become a Digital LeaderIn talking about Amazon’s pursuit of a second headquarters, John Rossman wrote the following regarding ownership:

Amazon’s second leadership principle is “Ownership,” by which leaders at Amazon strive to never sacrifice long-term value for short-term results.

Where I think this is appropriate is the issue of technical debt. Technical debt is when we choose a less efficient approach for expediency or where we have a situation where some aspect of our system needs an update. This can occur, for instance, as a particular software product we depend on is about to move into Extended Support or move out of support altogether.

Too often I’ve heard there is too much focus on features and new functionality. However, when this selection is done at the expense of paying down technical debt, we are sacrificing long-term value for short-term results. Technical debt carries with it the same concept as monetary debt. There’s an interest rate for technical debt. It may be in how long it takes folks to do some task. It could be in the additional cost to support a product. It could be that the organization is less responsive to change because the technical debt becomes a roadblock for moving forward. As a result, teams start using workarounds just to move forward, which incurs more technical debt. At some point, we have to address that technical debt to reduce what we’re paying in interest.

As an architect, I’m always going to push for this concept of ownership. We can look at the success of organizations like Amazon, Toyota, etc. which take ownership seriously. That track record is my justification for focusing on long-term value.

#tsql2sday – A Letter to My 20 Year-Old Self

T-SQL Tuesday LogoSelf,

I am writing this to you in my mid 40s. I know when I was 20, I wasn’t thinking about 30, much less 40. Here’s some advice I’d give you to learn from.

You’re going to have some doors close that you think should be open. That’s okay. When those doors close, others will open. You will be in ministry, but not full time. Again, this is okay. You will still be in IT. This is how you will be able to do what you do in ministry. Remember, we don’t live to work. We work to live.

Keep being eager to learn. At 45 you are not focused in any one technology area. You often joke that you haven’t been able to figure out what you want to be when you grow up. However, your myriad of skill sets is what allows you to do what you do. As an architect, being well-rounded is key. That’s true of IT in general.

Make peace with leaving the military. It’s not your path. Yes, you will always have a longing to be back. It’s one of those doors that will close. Take what you have learned from your time on Active Duty and apply them in the civilian world. It’s not good to live in the past. Rather, move forward into the challenges of the present for a more exciting future.

Work on your soft skills. You can’t fall back on the excuse of being an extreme introvert. You’re also going to find plenty of validation supporting you being the way you are. However, that doesn’t mean the people you need to influence are going to see your viewpoint unless you can have empathy enough to understand theirs.

Learn to balance your time between work and life outside of work. Work will always ask for more and more and more. You are going to be forced into the position where you will be Choosing to Cheat either work or family. Choose to be faithful to your family first.

That’s a good enough set of action items. Carry them out. Enjoy the journey as you do. And don’t forget to celebrate the wins, especially the wins of people around you.

Basic SQL Server Configuration Help for Involuntary DBAs

After my presentation at the Techno Security and Digital Forensics conference, I had a information security professional stop by to ask a few questions. He’s in the position where he supports other clients since he works in a third-party security operations center (SOC). The reason most of these clients pay for a SOC instead of developing one of their own is cost. Since they don’t have the money to splurge on a lot of IT positions, another one that’s usually missing is the DBA.

Often times, as a SOC provider, when they interact with clients they can tell fairly quickly that the SQL Servers aren’t configured well. However, they don’t have the knowledge to go in and help their clients in a quick and easy way. He asked for advice. I pointed him to something that we have in our community: sp_Blitz. It’s part of the First Responder Toolkit from Brent Ozar.

Why did I recommend that particular tool? There are several reasons:

  1. It’s designed to provide a quick health check of your SQL Server.
  2. It’s a free tool (yes, you have to register), meaning budget isn’t an issue.
  3. The community has worked on and contributed to it.
  4. It provides explanations and recommendations on how to fix what’s wrong.

For someone such as an involuntary DBA or a consultant trying to assist a client when that’s not your primary skill set, it lets you make solid recommendations immediately that will improve the SQL Server setup. And it’s not hard to setup and run:

If you haven’t looked at this tool before, grab it, put into a non-prod environment, and see if it can help you.

Mini-Rant: Spoofed Phone Numbers and Trust

I’ve seen this more and more over the last year: I receive a phone call with a number that indicates it’s coming from a town or city near me. For instance, I received a call where the number reported to Chapin, SC. Curious to see if it was a company trying to sell something, I answered it. Of course, it wasn’t from Chapin. The company was based in Oregon and the person who was on the other end was in a call center that probably wasn’t even in the United States. Many of you have received similar calls.

Yes, it was a cold-call by a company looking to drum up business for their products or services. However, business relationships, like any other relationship, have to have some level of trust. When a company initiates contact using a deceptive practice like exploiting the flaw in the initiation protocol for caller ID, they hurt any attempts at establishing that trust and building a relationship. Not to mention that such a practice is potentially illegal.

I understand the rationale: we’re more likely to answer the phone if we see that it’s a number near us. However, not only does this practice impact trust, but it is training us not to answer the phone unless we recognize the number. We are starting to move from a slight chance of answering the phone for a number we don’t recognize to absolutely no chance. Therefore, the practice is counter-productive. Yet companies are still doing it.

Maybe I’m naive, but I think a company has a better chance of establishing a business relationship by doing everything it can to establish trust from the initial contact onward. I want to trust the folks I’m doing business with. Therefore, if you start by showing me you are going to engage in deceptive practices, then I don’t what to work with you. I’m sure I’m not alone.

Same Webcast, New Name: Introduction to Auditing Features in SQL Server

I’m giving another webcast through This one is on May 9, 2019, at 3 PM EDT. It’s called Introduction to Auditing Features in SQL Server. We renamed it to reflect the “this is how you get started” nature of the content. You can register here:

Webcast Registration Link (free)

Here’s a description of the talk:

SQL Server has many options to monitor activity. However, like any solid performing relational database management system (RDBMS), SQL Server only turns on the bare necessities by default for performance sake. In this webinar we’ll look at what we get out of the box after an install. We’ll talk about what information is captured as well as what’s missing. Then we’ll look at what other options you can activate with your SQL Servers to include additional auditing in order to meet your business needs. As we consider those additional options, we’ll also briefly discuss what the implications are for turning on those features, whether it’s the amount of information to sift through or the potential for a noticeable performance impact.

Previous Older Entries