More on SQL Server Service Pack Installation Practices

Comments left on that computerworld article make it seem that CPUs can only be installed once the db is already patched to a certain version, and that CPUs usually only cover most recent versions. I can easily imagine cases of 3rd party apps using Oracle back ends that don’t support upgrading the back end (unless requiring an upgrade of the front end app too), leaving the company stuck keeping older versions of a database and therefore unable to apply most recent CPUs (especially if the only business reason to upgrade the front end would be to allow the upgrade of the backend.) It’s no different for other databases and operating systems. How many new patches do you see made for sql 6.5 or 7?

If Oracle CPU = MSFT hotfix, this article shouldn’t be surprising. Even for most recent versions of the databases, ask Microsoft SQL DBAs if they always install the most recent hotfix no matter what and you will likely get similar answers. But I would say it’s because Microsoft itself says not to.

Refer to the following kbs:

http://support.microsoft.com/kb/894905/ lists the hotfixes for sql 2000 since sp4
http://support.microsoft.com/kb/937137 lists the hotfixes for sql 2005 since sp2.

Included on each is a link to http://support.microsoft.com/kb/935897/ which talks about a new approach for hotfixes to make them more timely, yet they also still say "A hotfix package does not replace a service pack. A hotfix package is optional." But nowhere on that article do they talk about how long it will be before a hotfix list will turn into a service pack.

And the verbiage on sql 2000 hotfixes say "A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next SQL Server 2000 service pack that contains this hotfix."

And for sql 2005 (http://support.microsoft.com/kb/943656/) they say "A supported cumulative update package is now available from Microsoft. However, it is intended to correct only the problems that are described in this article. Apply it only to systems that are experiencing these specific problems. This cumulative update package may receive additional testing. Therefore, if you are not severely affected by any of these problems, we recommend that you wait for the next SQL Server 2005 service pack that contains the hotfixes in this cumulative update package. "

So it seems to me that Microsoft itself is saying with regard to hotfixes, "if it ain’t broke, don’t fix it" while at the same time saying they’re working on cranking out more hotfixes. If I don’t see any of the problems described in any of the hotfixes, per Microsoft’s instructions I should be fine just sitting at the most recent service pack level.

Yet the SQL 2005 Security Best Practices document (http://www.microsoft.com/technet/prodtechnol/sql/2005/sql2005secbestpract.mspx) says "The best way to ensure the security of the server software and to ensure the security of SQL Server 2005 is to install security hotfixes and service packs as soon as possible. Use manual updates on an operating system basis by using Windows Update or Microsoft Update. You can enable automatic updates using Windows Update or Microsoft Update as well, but updates should be tested before they are applied to production systems. SQL Server 2005 incorporates SQL Server hotfixes and service packs into Windows Update. All hotfixes should be installed immediately and service packs should be tested and installed as soon as possible. This requirement cannot be emphasized enough".

So is the security best practices doc only talking about security patches or all patches when it states "All hotfixes should be installed immediately"?