![Security Environments]()
As data professionals, we should always strive to keep our systems updated and patched to ensure proper security of our environments. Microsoft has moved away from releasing service packs to releasing just cumulative updates and the occasional hotfixes. These hotfixes may or may not be security related but it behooves us to ensure things get patched, not just from an SQL Server perspective but also from a Windows perspective. Don’t forget about the operating system!
In the past, these security patches for older versions have been free of charge.
All that is about to change!!!
From Microsoft, if you are running SQL Server 2008 or 2008 R2, the extended support will be ending on July 9, 2019. For those running Windows 2008 and 2008 R2, extended support for the operating system will end on January 14, 2020. Giving you another year for the OS before you have to worry about support.
Once the extended support has expired, if there is a hotfix for a security breach (like Spectre/Meltdown) released, you won’t be receiving it for free any further.
You read this correctly. You will "NOT" be receiving the security patches for free after that point.
Microsoft, however, has provided some ways to avoid this.
Software Assurance or Subscription Licenses
If you have an active software assurance or subscription licenses, for an annual fee, you can purchase Extended Security Updates at 75% of the full license cost of the latest version of SQL Server or Windows Server.
In other words, if you are using an older version of SQL Server or Windows and security is important to you (it should be), you can expect to pay 75% MORE annually of your license renewal. This amount will add up quickly.
As we get closer to those end dates stated above, Microsoft will begin to offer purchase options for the extended security updates.
Upgrade
You can choose to upgrade to a newer version of the software. If you stay within the most recent 2 versions of the software, SQL Server or Windows, you would continue to receive security patches at no additional cost to you.
This infers that your organization has to keep up with the times. As Microsoft releases new versions and older versions age themselves out, the same issue will apply. You have to upgrade with the times in order to save yourself the 75% extended security update charges or go without the security updates completely. Bad idea.
Move to Azure
Migrate to the cloud. If you move your existing 2008 or 2008 R2 SQL Server to Azure Virtual Machine (not upgrading SQL Server or OS) Microsoft will continue to offer security updates at no additional charge for up to three years. You could effectively remain on the older versions of SQL Server or Windows yet continue to receive security updates during that three year period. Keep in mind that while this is a good amount of time, the idea behind it is to force you to upgrade to a more current version of the software at some point in time. If you currently have issues upgrading your on prem environment today, moving to the cloud could give you some breathing room to work through the issues.
Once you’ve expired that three-year mark, you will most like fail into the payment category and have to pay an additional surcharge to continue to receive security updates.
Summary
In short, I think this is a wise move by Microsoft. This new plan for older versions will help force organizations to continuously upgrade and stay closer to mainstream versions or start to shell out more money. If you have had the opportunity to see newer versions of SQL Server, not only does it offer performance enhancements but security related ones as well.
If you do not want to upgrade, they also offer a way to purchase extended security support, which just adds money to their bottom line. Much like with anything, if you really want it, you can probably find a way to pay for it. The choice is yours.
Finally, you can migrate to Azure. Temporarily. If you migrate to Azure, you will continue to receive security updates for the following three years. The cloud, especially Azure, is becoming much more robust and prevalent within organizations. It is around to stay for some time. Examine your existing environment and see if that’s an option.
If you don’t want to pay the extra money for extended support but do not know how to proceed with a migration or upgrade, drop me a line at john AT dcac.co. I would love to help you out with either of those two options.