My SQL Server is Fine – So Why Bother Patching?


While many organisations have a roadmap to migrate to Azure or modernise to supported versions of SQL Server, there are others, that for various reasons, will need to maintain legacy versions.

Maybe the application running on the legacy version is not compatible with newer versions of SQL Server, or perhaps the application vendor has gone out of business. Whatever the reason, the legacy application – including the SQL Server and Windows architecture supporting it – is often left as is. The intent is at some stage the application will be retired for something better and the supporting architecture will be decommissioned.

In these situations, the legacy applications can become more important to the business. They remain mission critical, as does the data they hold. These SQL Servers become legacy servers supporting legacy applications.

Patching SQL Servers is always an important maintenance task to address bugs and security holes. It’s even more important for organisations to ensure their SQL Server is patched to the most up-to-date patch level possible when Microsoft ends support.

What does ‘End of Support’ Actually Mean?

Essentially Microsoft, as of the end of support date, will no longer provide any service packs, hot fixes, security patches or technical assistance for the product in question unless you pay for expensive custom support agreements.

Microsoft has periodically released service packs and security patches for its SQL Server products. Legacy systems like SQL Server 2000, 2005 will soon be joined by SQL Server 2008 and SQL Server 2008 R2. All these legacy systems need to be patched to the latest service pack and cumulative update. Not only does this provide the latest bug fixes, it also secures your environment against any detected security issues at that time.

“If it ain’t broke, don’t fix it” – Right? Wrong

Convincing the powers-that-be that applying service packs and cumulative updates to legacy servers can be a challenge for DBAs for the following reasons:

  • Patching can be time-consuming and will involve some downtime.
  • After any patching work is carried out, the system should be tested to ensure there are no issues or problems. DBAs may need to convince some users to perform user acceptance testing after business hours to make sure the application is performing as it should.
  • There may be a perception that the legacy server “works fine now so why mess with it?” Similarly the organisation may believe that because it’s “behind the firewall” the legacy server is “safe”. But if it’s left unpatched, it’s potentially vulnerable.
  • Sometimes patching is regarded as a possible cause for performance issues, resulting in resistance to patching by the organisation.

Security of data is essential

When most IT professionals think about security they tend to focus on keeping people outside the organisation out of the system. But it’s equally important to be concerned about securing data from people within the organisation.

When a legacy system is vulnerable, it’s easy for employees – whether intentionally or not – to access and destroy data they are not supposed to be a party to. They can do this by exploiting security holes in the SQL Server – it is very easy for any user to download and run security tools from the internet (e.g. Metasploit) and gain access to the SQL Server databases and the data they host.

Such scenarios can be prevented by closing out any security bugs with the latest patch. Remember the ‘slammer’ virus that exploited security holes in SQL Server 2000? If your organisation’s SQL Server is not patched to the latest version, worms like this can cripple the system.

Which patch level?

To determine the patch level of your SQL Server you can run the following query:

select @@version

This often gives a patch level in the form of a version number. The best way to check this is to visit the website which lists all SQL Server Service Packs and cumulative updates as well. For SQL Server 2008 and SQL Server 2008 R2 and other legacy versions of SQL Server it is recommended to apply the latest service pack and cumulative update available.

And remember, if you’re unsure reach out to us here at WARDY IT Solutions. We’ll be happy to help.