by Robert Buda | Jun 29, 2020 | Database Patch News
Welcome to Database Patch News, Buda Consulting’s newsletter of current patch information for Oracle and Microsoft SQL Server. Here you’ll find information on available patches—including security patches—and desupported versions recently made available.
Why should you care about patching vulnerabilities and bugs? Two big reasons:
-
- Unpatched systems are a top cyber attack target. Patch releases literally advertise vulnerabilities to the hacker community. The longer you wait to patch, the greater your security risk.
- Along with running a supported database version, applying the latest patches ensures that you can get support from the vendor in case of an issue. Patching also helps eliminate downtime and lost productivity associated with bugs.
Here are the latest patch updates for Oracle and SQL Server:
Oracle Patches:
Apr 14 2020 Quarterly Patch Updates:
19c – Release Update 19.7 available.
18c – Release Update 18.10 available.
12.2.0.1 – APR 2020 Release Update 12.2.0.1.200414 available
Regular support ends Mar 2023 and extended support ends Mar 2026.
12.1.0.2 – Currently in extended support.
The last freely available patch was July 2019 for 12.1.0.2.
Apr 14 2020 PSU available but requires extended support purchase to access it.
Patches will be released until July 2021 for this version.
PATCH SET UPDATE 12.1.0.2.200414 available.
11.2.0.4 – Entered extended support December of 2017
Last free available patch was October 2018 for 11.2.0.4.
PATCH SET UPDATE 11.2.0.4.200414 available but requires extended support
purchase to access it.
SQL Server Patches:
SQL Server 2019
Cumulative update 3 (Latest build) Released March 12, 2020
Mainstream support ends Jan 7, 2025
Extended support ends Jan 8, 2030
SQL Server 2017
Cumulative update 20 (Latest build) Released Apr 7, 2020
Mainstream support ends Oct 11, 2022
Extended support ends Oct 12, 2027
SQL Server 2016 Service Pack 2
Cumulative update 12 Release date: Feb 25, 2020
Mainstream support ends Jul 13, 2021
Extended support ends Jul 14, 2026
SQL Server 2014 Service Pack 3
Cumulative update 3 Release date: Apr 16, 2019
Mainstream support ended Jul 9, 2019
Extended support ends Jul 9, 2024
SQL Server 2012 Service Pack 4
Release date: Oct 5, 2017
Mainstream support ended Jul 11, 2017
Extended support ends Jul 12, 2022
Note: All other SQL Server versions not mentioned are no longer supported.
by Robert Buda | May 13, 2020 | Database Patch News, database patching, Oracle, SQL Server
Welcome to Database Patch News, Buda Consulting’s newsletter of current patch information for Oracle and Microsoft SQL Server. Here you’ll find information on available patches—including security patches—and desupported versions recently made available.
Why should you care about patching vulnerabilities and bugs? Two big reasons:
-
- Unpatched systems are a top cyber attack target. Patch releases literally advertise vulnerabilities to the hacker community. The longer you wait to patch, the greater your security risk.
- Along with running a supported database version, applying the latest patches ensures that you can get support from the vendor in case of an issue. Patching also helps eliminate downtime and lost productivity associated with bugs.
Here are the latest patch updates for Oracle and SQL Server:
Oracle Patches:
Apr 14 2020 Quarterly Patch Updates:
19c – Release Update 19.7 available
18c – Release Update 18.10 available
12.2.0.1 – APR 2020 Release Update 12.2.0.1.200414 available
Regular support ends Mar 2023 and extended support ends Mar 2026.
12.1.0.2 – Currently in extended support.
The last freely available patch was July 2019 for 12.1.0.2.
Apr 14 2020 PSU available but may require extended support purchase to access it.
Patches will be released until July 2021 for this version.
PATCH SET UPDATE 12.1.0.2.200414 available
11.2.0.4 – Entered extended support December of 2017
Last free available patch was October 2018 for 11.2.0.4.
PATCH SET UPDATE 11.2.0.4.200414 available but may require clients purchase extended support to have access to it.
SQL Server Patches:
SQL Server 2019
Cumulative update 3 (Latest build) Released March 12, 2020
Mainstream support ends Jan 7, 2025
Extended support ends Jan 8, 2030
SQL Server 2017
Cumulative update 20 (Latest build) Released Apr 7, 2020
Mainstream support ends Oct 11, 2022
Extended support ends Oct 12, 2027
SQL Server 2016 Service Pack 2
Cumulative update 12 Release date: Feb 25, 2020
Mainstream support ends Jul 13, 2021
Extended support ends Jul 14, 2026
SQL Server 2014 Service Pack 3
Cumulative update 3 Release date: Apr 16, 2019
Mainstream support ended Jul 9, 2019
Extended support ends Jul 9, 2024
SQL Server 2012 Service Pack 4
Release date: Oct 5, 2017
Mainstream support ended Jul 11, 2017
Extended support ends Jul 12, 2022
Note: All other SQL Server versions not mentioned are no longer supported.
by Robert Buda | May 12, 2020 | Database Architecture, Oracle, SQL Server
What is a schema as opposed to a database as opposed to an instance? And how do schemas differ between Oracle and MSSQL? Or between Oracle and PostgreSQL? Or between PostgreSQL and MongoDB?
These terms can be confusing, but they are very important when planning a database architecture. So let’s define these terms and discuss conceptually how they are similar and how they differ between database software implementations. This post will focus mostly on schemas, with some references to the other terms for context.
What is a database ?
A database is the collection of database files that contain the data being stored. These files hold both the user data and the metadata (data dictionary) that the database needs to make sense of the user data. The metadata includes the schema definitions (where applicable) as described below.
What is a database instance?
A database instance is the collection of all of the database software processes plus any memory structures required by those processes, plus the database files where the database data is stored. (See diagram)
The different software vendors treat the relationship between databases and instances in different ways.
Oracle supports one database per instance unless you are working with 12c and above and using Oracle Multitenant.
PostgreSQL supports multiple databases per instance. Some system catalogs are shared across all databases in an instance.
MSSQL supports multiple databases per instance. Each instance has a set of system databases that are shared across all databases served by that instance.
MongoDB supports multiple databases per instance.
What is a schema?
The concept of a schema can be a little confusing because there are three different relevant uses of the word “schema” in the context of an IT project.
-
- Mirriam Webster defines a schema as “a structured framework or plan, an outline.”
- In the realm of database technology, a schema means a structural definition of the data that you are storing. This essentially defines the datatypes of the data you are storing, and the organization of that data (into tables, documents, indexes and constraints, etc). This can be expressed in the form of a diagram such as an entity relationship diagram (ERD), or in a set of data dictionary language (DDL) statements, or in a JSON object.
- Some database vendors have extended the concept of a schema to include not just a definition of the structure of a set of data, but also a particular collection of objects that contain the data (tables, etc), and even the data itself. This is sometimes a named collection and is typically based on one of these factors:
- Who owns the objects (a database user)
- Who should have access to the objects (e.g., a database role that may be assigned to users)
- What the objects are used for (e.g., all objects for a given application or function within an application)
When implemented in this fashion, a schema can also be thought of as a namespace. An object can have the same name in two different schemas and the two objects will be distinct from each other.
It is interesting to note that MongoDB, which is a document database as opposed to a relational database, is sometimes called a schema-less database. MongoDB also has the concept of a schema, but it is purely a description of the structure of the data, more like definition 2 above than 3. A MongoDB schema does not represent the actual instance of the data, as it does with the relational databases mentioned.
To summarize, within the context of database management software, a schema is either a set of objects that contain data that is related in some logical way (user, access, application), or simply a definition of the structure of data.
Examples
Here are some example of schemas (see the diagram below):
-
- Schema JSMITH: A schema that contains all of the tables that belong to user Jsmith. This schema would typically simply be named the same as the user, and is often created automatically when that database user account is created. When the user connects to the database, this will typically be his default schema. So any objects that he creates will automatically be part of that schema. When he issues a query, unless he specifies a schema name as part of the name of the object he is querying, or changes his schema search path (this is done differently by each database vendor), the result set will come from the object by that name that exists in his default schema.
- Schema PAYROLL: A schema that contains all of the tables for the payroll application. This schema would typically be named for the application or a functional area within the application. When accessing data from the Payroll schema, users will need to either set their schema search path to the Payroll schema, or prefix all object names in the query with PAYROLL.
- Schema DBO: This built-in schema in MSSQL is the default for all users unless otherwise specified. In many SQL Server databases, almost all objects end up here. This is similar to the public schema in PosgtreSQL.
How does a schema differ between database vendors?
MSSQL and PostgreSQL have an actual object in the database called a schema. You can create and drop a schema, and you can assign access rights and ownership to a schema as a whole. In these environments, there is a loose connection between a schema and a database user. A schema may be owned by a database user. But a database user does not have to own any schemas. A schema may also be owned by a role instead of an individual user. If you want to drop a user that owns a schema, they can and must first transfer ownership of the schema to another user.
Oracle has the concept of a schema but it does not really have an object in the database called a schema. It is more conceptual. In Oracle, each database user may be an owner of objects, and the collection of objects owned by a given user is considered a schema. If a database user is dropped, all objects owned by that user (in that user’s schema) must be dropped first. A schema in Oracle does not exist independently of a database user. There is a command in Oracle called Create Schema that is essentially a wrapper that lets you create a database user and a set of objects to be owned by that user all at once. The Drop Schema command is really the same thing as Drop User. One cannot transfer ownership of an object from one user to another. The new user would need to recreate the object. (A CTAS query may be helpful here).
MongoDB, as mentioned earlier, uses the concept of a schema in database design and in the validation of the structure of incoming data. (Nice blog on this here.) But there is no object in the database known as a schema.
I hope this post helps pull together the concept of a schema and the way the different vendors have implemented schemas.
Please comment with any questions or examples that you think might be helpful, including for database vendors that are not listed here. Also, if you disagree with the way I defined schema, please let me know how you see it.
To talk over any questions you may have around schemas or database architecture in general, contact Buda Consulting.
by Robert Buda | Feb 19, 2020 | Best Practices, Database Patch News, database patching, Database Security, Oracle, SQL Server
Welcome to Database Patch News, Buda Consulting’s monthly newsletter of current patch information for Oracle and Microsoft SQL Server. Here you’ll find information on available patches—including security patches—and desupported versions made available during the past month.
Why should you care about patching vulnerabilities and bugs? Two big reasons:
- Unpatched systems are a top cyber attack target. Patch releases literally advertise vulnerabilities to the hacker community. The longer you wait to patch, the greater your security risk.
- Along with running a supported database version, applying the latest patches ensures that you can get support from the vendor in case of an issue. Patching also helps eliminate downtime and lost productivity associated with bugs.
Here are the latest patch updates for Oracle and SQL Server:Oracle Patches:
19c
DATABASE RELEASE UPDATE 18.9.0.0.0.200114
OJVM RELEASE UPDATE 18.9.0.0.0.200114
18c
DATABASE RELEASE UPDATE 19.6.0.0.0.200114
OJVM RELEASE UPDATE 19.6.0.0.0.200114
12cR2
DATABASE RELEASE UPDATE 12.2.0.1.200114
OJVM RELEASE UPDATE 12.2.0.1.200114
Regular support ends Mar 2023 and extended support ends Mar 2026
12cR1
DATABASE PATCH SET UPDATE 12.1.0.2.200114
(Extended Support Contract Required)
OJVM PATCH SET UPDATE 12.1.0.2.200114
(Extended Support Contract Required)
The last freely available patch was July 2019 for 12.1.0.2. The Oct 15 2019 Patch Set Update (PSU) is available but may require an extended support purchase to access it. Patches will be released until July 2021 for this version. PSU 12.1.0.2.191015 is available.
11gR4
DATABASE PATCH SET UPDATE 11.2.0.4.200114
(Extended Support Contract Required)
OJVM PATCH SET UPDATE 11.2.0.4.200114
(Extended Support Contract Required)
The last freely available patch was October 2018 for 11.2.0.4. PSU 11.2.0.4.191015 is available but may require clients to purchase extended support to access it.
Oracle Engineered Systems
Oracle Exadata System Software for 18.1.24, 19.2.10 & 19.3.4
Oracle Exadata QFSDP for Jan 2020
Oracle SuperCluster QFSDP for Jan 2020
SQL Server Patches:
SQL Server 2019 – Cumulative Update 1 released on 01/07/2019
SQL Server 2017 – Cumulative Update 18 released on 12/09/2019
SQL Server 2016 Service Pack 2 – Cumulative Update 11 released on 12/09/2019
SQL Server 2016 Service Pack 1 – Cumulative Update 15 released on 07/09/2019
SQL Server 2014 Service Pack 3 – Cumulative Update 4 released on 07/29/2019
SQL Server 2014 Service Pack 2 – Cumulative Update 18 released on 07/29/2019
by Robert Buda | Nov 25, 2019 | Database Security, SQL Server
These days it’s only a matter of time before our firewalls or access controls are breached. Then what?
In a multi-tiered security strategy, data encryption is a critical next line of defense. Data encryption is also mandated by a number of widely applicable regulations, including PCI-DSS and GDPR.
Fortunately for SQL Server users, Microsoft has developed a range of capabilities that enable you to encrypt database files at rest, in transit, in backups, when being accessed and even “always.” This post will give you an overview the five types of encryption that SQL Server offers.
SSL Transport Encryption For Data In Transit
Similar to how web applications secure traffic between the server and the browser, you can configure SQL Server to use Secure Sockets Layer (SSL) to encrypt data in transit between the server and the client.
This capability is available across all supported versions and all editions of SQL Server. It’s a great way to thwart so-called “man in the middle”/proxy attacks because it makes network traffic almost impossible to read.
For more information, including how to install a certification a SQL Server to support SSL, see this Microsoft Support page.
Backup Encryption
SQL Server allows you to encrypt SQL backups at the whole file level. Available for both Standard and Enterprise editions in SQL Server 2014 and newer, this is a powerful security measure as it protects backups even at offsite locations.
This feature gives you a choice of encryption algorithms and can use either a certificate or asymmetric key. You can also use backup encryption and Transparent Data Encryption (TDE, see below) at the same time (but with separate certificates/keys).
For more information on implementing cell-level encryption, see this Microsoft Docs page.
Transparent Data Encryption (TDE)
Available since SQL Server 2008 for Enterprise editions only, TDE lets you encrypt SQL data “at rest” within the files on disk. This protects the physical media—including the entire database, log files and any backups or snapshots—from being read in the event of unauthorized access to the media. (Data in unencrypted files can be accessed simply by restoring the files to another server.)
TDE is “transparent” in the sense that no changes are required for client or server applications to use a TDE-encrypted database. When SQL Server mounts an encrypted data file, it uses a database encryption key (DEK) to decrypt the data during use and then re-encrypts it again before writing it back to the file. A limitation of this approach is that data encrypted with TDE is unencrypted and potentially vulnerable both in memory and over the network.
For more information on implementing TDE see this Microsoft Docs page.
Cell-Level Encryption
SQL Server’s Cell-Level Encryption lets you encrypt specific columns within a database that contain sensitive data; e.g., credit card numbers, social security numbers, passwords, etc. This feature is available in all SQL Server editions.
Unlike with TDE, when data encrypted with Cell-Level Encryption is selected in a query, it remains encrypted by default, even in memory. However, all it takes to decrypt it is a call to the decryptbykey function in the query. Further, the need to use a function call for decryption means code changes in existing applications and queries.
For more information on implementing cell-level encryption, see this Microsoft Docs page.
Always Encrypted
Always Encrypted is a new (since SQL Server 2016) way to do column-level encryption for client applications using up-to-date data libraries. Always Encrypted encrypts data transparently at the client via the data connection layer, with no code changes required (though it requires a driver on client systems).
Data thus secured remains encrypted in transit, in memory and at rest—making it the only option for securing data from misuse by even the most privileged SQL users, like sysadmins. This makes it a good choice for applications that require separation of data owners and managers.
However, since SQL Server isn’t doing the encrypting, many functions won’t work with this approach. In particular, you can’t sort, index, look for string fragments or do calculations on data that’s encrypted.
For more information on implementing cell-level encryption, see this Microsoft Docs page.
In Conclusion
Microsoft has a strong focus on security, and this is evident in the wide range of options available to SQL Server users. But every organization’s needs are different, and there is no one-size-fits-all approach to implementing SQL Server encryption. Your SQL Server version and licensing scenario, application requirements, business processes, performance needs, regulatory environment and security risk profile will all impact your path to implementing encryption.
For expert guidance on how best to implement encryption in your database environment, including help with configuration and key management, contact Buda Consulting.
