Mainstream support for Microsoft SQL Server 2008 R1 and R2 ended July 8, 2014. What does Microsoft SQL Server 2008's...
end of life mean from a security perspective? Is it time to migrate, or can the software still be used securely?
Microsoft offers a minimum of 10 years of support for business and developer products such as SQL Server. Mainstream support is provided for either five years or for two years after the successor product is released (whichever is longer). Extended support runs either for the five years following mainstream support or for two years after the second successor product is released (whichever is longer).
Security updates are made available through the end of the extended support phase, but any service packs must be installed to continue receiving support and security updates. For Microsoft SQL Server 2008 Enterprise, the support lifecycle looks like this:
- Lifecycle start date: 11/6/2008
- Mainstream support end date: 07/08/2014
- Extended support end date: 07/09/2019
The main difference between mainstream and extended support is that only bugs relating to security will be fixed during extended support -- non-security bugs will be fixed only for customers who have purchased extended hot-fix agreements within 90 days of mainstream support ending.
While 10 years of support may seem a long time, it shouldn't be used as justification to delay a decision to migrate to a new major release. Despite plenty of warnings, many enterprises were caught off guard by the end of life for Windows XP, postponing transitioning to later releases of Windows based on the supposition "if it ain't broke, don't fix it" -- a dubious premise in IT security. Microsoft's well-publicized lifecycle dates are there to enable organizations to plan and execute migrations carefully and methodically. Planning a transition before the Microsoft SQL Server 2008 end of life -- and before things start to go wrong -- creates a far less stressful move to newer technology.
To plan for the move, legacy applications based on SQL Server 2008 should be rewritten and migrated sooner rather than later as the new code will need extensive testing. SQL Server 2008 databases may well be hosted on older hardware, which will become more prone to failure, increasing the fragility of the databases over time, as well as the risk of unplanned downtime. Other costs and risks associated with using outdated software also grow over time. For example, the lack of mitigation technologies to prevent newly discovered attacks means a greater reliance on other defenses to provide protection. Many software vendors will no longer support their products if they're running on top of expired software. While rewriting database applications, upgrading licenses and purchasing hardware may be costly, data breach fines could be far more expensive.
Microsoft calculates that it takes at least a year for most companies to fully migrate mission-critical software, so there's no need to panic yet. Enterprises should, however, start planning now for a successful upgrade from SQL Server 2008 in order to avoid being forced to react in a panic once the reality of unsupported software has already disrupted operations. Operating system and server specifications required to run new database software need to be agreed upon and ordered, and the new infrastructure must be tested and run alongside the existing setup.
Enterprises are creating and consuming more data than ever before, and upgrading database servers and software could bring cost and performance benefits as they are able to take advantage of newer technologies; it's a comfort for those tasked with planning for the end of SQL Server 2008 support.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
This guide helps enterprises plan the SQL Server upgrade process
Learn from others' mistakes: More about Windows XP end-of-life planning
Dig Deeper on Data security technology and strategy
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading