Which database is more secure? Oracle or Microsoft SQL Server?

I still come across Oracle enthusiasts who mistakenly believe that Oracle’s database suite is more secure than Microsoft’s SQL database suite – this is nonesense as I shall explain.

The point to this post is not to gloat – it’s simply to set the record straight. Microsoft SQL Server’s suite of products ARE more secure than Oracle’s database suite.

A single vulnerability in any mission critical product can cause serious problems for whomever relies upon it and ALL software is subject to both code and configuration vulnerabilites. If anyone tells you their software is 100% secure or impervious to vulnerability then they are delusional.

Secunia is a well respected security vulnerability tracking site. Take a look at Secunia’s statistics for the number of Oracle software security advisories compared to Microsoft SQL Server’s security advisories – the results are 94 compared to 23.

Of the 23 SQL Secunia advisories only one has been reported in the last four years and it was of low severity.

Digging a little further we can see that the 94 Oracle Security Advisories comprised of 200 actual vulnerabilities whereas Microsoft SQL’s vulnerability count was just 4 – both sets of vulnerability figures are for the last four years.

Note: searching Secunia for just “SQL” will bring back security advisories for a vast range of non-Microsoft SQL implementations including mySQL.

Comments (6)

  1. Anonymous says:

    My good friend Steve the team spook, has written this post about SQL Servers track record on security

  2. Anonymous says:

    Actually compare “oracle” to “Microsoft SQL Server” is not very faint. But even in case we narrowed the search the results are quite overwhelming.

  3. Dave says:


    Not that I care who is more secure than who, but the basis of your theory is off

    The Search on Secunia is pulling from the entire Oracle Product line vs just SQL Server.  At this point you are comparing apples to oranges.

    If you wanted to make an apples to apples comparison you would need to include MS Dynamics & CRM(Oracle Applications),  IIS & Commerce Server (Oracle Application Server) Systems Center , Sharepoint/MOSS (Oracle Portal) and so on.  

    Even if you did an apples to apples comparison on Secunia I would not trust the results.  For example, a search on Sharepoint  shows 24 vulnerabilities, however  a number of the advisories are for Symantec products.  

    I would recommend taking a look into the data in the future

  4. nik says:

    Of course it’s Oracle; it’s unbreakable. Haven’t you read their website ads? 🙂

  5. Rob says:

    Of course, all software has vulnerabilities.  Surely the more important issue is unpatched vulnerabilities, and how quickly the respective companies provide fixes?  The method of counting vulnerabilities is fairly rubbish, because it skews the results – giving higher figures to more scrutinised software (open source work e.g. Firefox) and lower figures to less scrutinised software (Apple QuickTime for example).  Of course, you could argue that the more scrutinised software is also more likely to be scrutinised by criminals and then exploited.

Skip to main content