Oracle Has More Flaws Than SQL Server

jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"

Features?

[eluusive]

Did they also mention that Oracle has 300 times as many useful analytical features as SQL Server? I use SQL Server 2005 at work and it's pathetic. Postgres is more useful!

Re:translation

[jedidiah]

Oracle's response in English: We don't force bundle our product onto servers where it really shouldn't be in the first place.

Insist on driving through the 'hood at midnight and you probably better be armed and armoured. Take the sensible approach and avoid doing this and you can likely skip the ablative armour and the AK-47. Microsoft likes to look for trouble. Most of their security problems stem from this.

Re:My experience

[dedazo]

What was your "high" contract with Microsoft? What level? Was it a regionally-supported contract (through your TAM) or was it direct with PSS? Was it part of an MSDN subscription? If so, what MSDN level, and whom did you purchase it from?

How many "bugs" did you find that Microsoft had to "charge" you for them? On a product that has existed for seven years, you or someone on your organization managed to find actual, undocumented "bugs" and then Microsoft actually went ahead and charged you for reporting them, even though you had this "high" contract with them. Correct?

I find it hard to believe that obvious disingenious FUD like this gets modded up to +5 - even considering the link to "msversus.org" on your user profile.

Re:My experience

[dedazo]

I realize you're trolling

Really? Why? Because I dared question what you said?

I don't know the details. I was told we had the highest level contract outside of government agencies.

I find it hard to believe that as a DBA having to support a database server within your organization you were not told what support level you had access to from the vendor. Normally you're given a fixed point of contact (for regional contracts this can be your TAM) and documentation as to what you can and cannot count on when you pick up the phone. You realize this sounds suspicious, correct? Or do you think I'm "trolling" here?

I have personally stumbled across at least a dozen undocumented bugs in MS SQL Server and VB

Well now, it gets interesting. Please, off the top of your head cite one undocumented bug in VB that you found that then went on to be part of a KB article. Please be specific. I'm sure if you found "a dozen" you must remember at least one, right? For example, a compiler problem? An issue with COM+? One of the common control libraries?

I'm reporting personal experience. By definition it's not FUD.

And since my personal experience differs greately from yours, and my knowledge of how PSS works within Microsoft negates your claims, I must be "trolling".

And msversus.org is my own site. It's not FUD either, because it's documentation of my own experiences and analysis.

Fair enough. I'm going to add a link to Microsoft on my Slashdot sig and see what effect it has on my "trolling".