This paper will examine the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example, Oracle Application Server have not been included. The sources of information used whilst compiling the data that forms the basis of this document include:

The Microsoft Security Bulletins web page
The Oracle Security Alerts web page
The CVE website at Mitre.
The SecurityFocus.com website

A general comparison is made covering Oracle 8, 9 and 10 against SQL Server 7, 2000 and 2005. The vendors’ flagship database servers are then compared.

he two graphs above show the number of security flaws in the Oracle and Microsoft database servers that have been discovered and fixed since December 2000 until November 2006. Each block represents a single issue with the sole exception of the single block in Q2 2005 of the Microsoft graph. This represents Service Pack 4 and whilst there are no related security bulletins or bugs listed on bugtraq the author felt it worthy of inclusion.

Download pdf Which database is more secure? Oracle vs. Microsoft