Nearly 20% of Running Microsoft SQL Servers Have Passed End of Support

An anonymous reader shares a report: IT asset management platform Lansweeper has dispensed a warning for enterprise administrators everywhere. Exactly how old is that Microsoft SQL Server on which your business depends? According to chief strategy officer Roel Decneut, the biz scanned just over a million instances of SQL Server and found that 19.8 percent were now unsupported by Microsoft. Twelve percent were running SQL Server 2014, which is due to drop out of extended support on July 9 -- meaning the proportion will be 32 percent early next month.

For a fee, customers can continue receiving security updates for SQL Server 2014 for another three years. Still, the finding underlines a potential issue facing users of Microsoft's flagship database: Does your business depend on something that should have been put out to pasture long ago? While Microsoft is facing a challenge in getting users to make the move from Windows 10 to Windows 11, admins are facing a similar but far less publicized issue. Sure, IT professionals are all too aware of the risks of running business-critical processes on outdated software, but persuading the board to allocate funds for updates can be challenging.

Not only main DBs

[cusco]

What most companies forget is the myriad databases that run things like their security systems, document management systems, and building HVAC. In 2014 the AMAG access control system, the second-largest vendor of security systems in the US, finally upgraded its database to SQL 2008 from MSDE/SQL2000 (no service packs). It wouldn't run on anything later than that even in compatibility mode, and it's not alone.

Check your company's background systems, you may be shocked at what you find. You might be surprised to find that your security system may be your biggest security hole.

Re:

[jhoegl]

Where I work, we just got a DBA who is proactive in this respect. Very good fellow to have on the team.

Re:

[aaarrrgggh]

If there is one thing we "learned" (and proceeded to forget) with Y2K is just this. There are so many stupid systems that never get updated that businesses rely on. I am sure a bunch of the ones I worked on in 1999 as emergency replacements are still in operation; the second-generation replacements are also likely still in place for most, and those are probably actually and deliberately networked.

Re:Not only main DBs

[cusco]

Hospitals and factories are the absolute worst for this. A lot of systems were never designed to be put on the network at all, for example the 5-9 gig files created by an MRI machine would have brought a 10 base T network to its knees and used up every bit of storage available. They wrote to a DVD which was put in the patient's hard copy file. Then 100 megabit networks come around, the DVD burner fails, and the simple answer is to slap a network card in it and write to the new SAN. Now the hospital has a Windows 2000 or XP machine that can't be upgraded because newer OSs won't allow the software drivers to talk directly to the hardware. No one is going to throw away a $5 million metal lathe or robotic painter just because the OS is no longer supported, either.

what?

[Anonymous Coward]

How do you think "software drivers" work if they don't talk directly to the hardware? The 16-bit descendants didn't need drivers at all - you could bang on whatever ports and registers you want which made things easy. But since you're talking about 2k/XP those required actual drivers. The problem is that for reasons known only to Satan, MSFT decided to throw driver backwards compatibility in the trash with Windows 7 and that's why everyone hated Windows 7 - none of the new drivers worked and a lot of old ha

Re:

[cusco]

No, drivers haven't directly addressed hardware since Win NT was introduced. They communicate with the HAL, the Hardware Abstraction Layer, which talks to the kernel, which controls the hardware. The DOS-based versions of Windows, Win 3.x, Win95/98, and to a lesser extent Millenium, could address the hardware directly, but nothing since.

On the off-chance you want to learn more:
https://learn.microsoft.com/en... [microsoft.com]

Re:what?

[Sique]

It gets even more convoluted. Drivers are a part of the Windows HAL, they extend it. And usually, drivers consist of two parts, often referred to as bottom half and top half. The role of the bottom half is to talk directly to the hardware. They read hardware registers, write into them, get called by system signals etc.pp.. That's the part that actually gets integrated into the HAL. The bottom half contains very short routines and is supposed to return from any subroutine in a predictable time. The more complex part of the I/O processing is done in the upper half, which runs in user land, separated from the hardware by the HAL.

Re:

[arglebargle_xiv]

Also the only driver available for the multimillion-dollar piece of hardware your company depends on was hacked together from sample code included in the Windows NT DDK in 1997 and hasn't been touched since then in case something breaks.

This is not snark, it's real.

Re:

[cusco]

Absolutely believe you, and that's why there's a lot of hardware out there that can never be migrated off some ancient OS which will never be upgraded. A local utility used to have a stack of 386 laptops with DOS 3 on them in case the control server for their radio tower failed.

Re:

[Anonymous Coward]

The Y2K 'lesson' was that stuff works for decades without being touched.

So it got fixed in 1999, and until it breaks again a lot of that stuff is going to keep running for another few decades.

And that's absolutely fine - until somebody decides to hook it up to the internet.

With the level of enshittification going on now, those old systems probably work better than anything that would replace them.

Context

[nicubunu]

For a bit of context, I would like to learn how many running MySQL/MariaDB servers are out of support. That may light some insight why: is about difficulty to work proprietary licenses or about lazy sysadmins not bothering with upgrades?

Re:Context

[93 Escort Wagon]

Doesn't necessarily imply difficulty. It could be cost - software upgrade costs, or hardware update costs.

Also, while "SQL" implies this shouldn't be the case... I wonder if there are compatibility issues where some other (likely expensive) commercial product only works with a really old version of MS SQL.

Re:

[Errol backfiring]

For MySQL / MariaDB, the connectors (the software libraries that connect to the database) must sometimes be upgraded as well.|I can imagine that this is also true for MS SQL server.

Re:

[F.Ultra]

Both MySQL and MariaDB provides the connector libs precompiled in their installers. I also just checked on mariadb.com and you can download the connector as a .msi for Windows directly from the start page. Did you even look?

Re:

[dsanfte]

> I wonder if there are compatibility issues where some other (likely expensive) commercial product only works with a really old version of MS SQL.

Bingo, I have seen this with my own eyes.

Re:

[MBGMorden]

On MS SQL databases have a "Compatibility level" you can set. It used to only go back a few versions but SQL Server 2019 can still set compatibility level all the way back to SQL Server 2008 (I suspect newer versions can too but 2019 is the newest install I had on hand to check). That takes care of the vast majority of any compatibility issues as in almost all aspects the database still responds to syntax of that prior version.

Re:

[flink]

Just because a database is in "compatibility mode" doesn't mean that every obscure DBCC flag or proprietary query hint will work in exactly the same way. They might be accepted by the parser for compatibility, but then just noop. If your 3rd party app relies on one of those, then you are still SOL.

Re:

[TheRealMindChild]

MS SQL can (and does) tie into the Windows Scripting platform and is able to instantiate COM/ActiveX object to do its work. THAT is likely where any incompatibilities come from

Re: Context

[1s44c]

The problem usually isn't lazy sysadmins, but sysadmins with 10 hours of work to do each 8 hour workday and management refusing to see the point of changing systems that are working.

Re:

[bleedingobvious]

Exactly this.

Coupled with the inevitabel fact that this technical debt typically has no spare in order to perform upgrade testing/UAT and you're in a prime position to just sit there and watch the countdown to drama.

Embedded garbage in production is the best.... Super-critical, finicky, expensive and almost impossible to upgrade. This is by design. These systems were built to be replaced, not upgraded.

Re:

[unrtst]

... and if your company has a separate DBA (or DBA group) and sysadmins and/or software/release group, then you're dealing with coordination between two groups. Worse still, the DB, especially when it's MS SQL (cause on free DB's like MySQL/MariaDB, you'd just spin up another instance or server), .. the DB often hosts multiple databases used by a variety of external systems/programs.

Even if you manage to get the heaviest users to migrate off to the replacement DB, you'll often be stuck with a few stubborn o

Re:

[eneville]

On prem typically gets better performance and tends to sit nearer the end user, normally.

Re:

[Ritz_Just_Ritz]

Sadly, I'm afraid this is often the case along with businesses that decide to spend scarce resources on new features rather than invest in the care and feeding of their existing stack. They'll kick that maintenance can down the road until they're burgled and/or suffer a failure and have to come to grips with no or little support from the DB vendor. Then it becomes a "priority" for the C-suite and board to briefly deal with tech debt....until they fall back into their old ways. Rinse....repeat...no accoun

Re:

[laffer1]

I suspect quite a few mysql databases. The upgrade from 5.x to 8.x was a pain for some applications.

Better track record than CentOS

[thesjaakspoiler]

At least that is a metric that RedHat was able to beat Microsoft with. =/

Re:

[vbdasc]

My old SQL Server runs in a IPX/SPX network. I invite all hax0rz to try to break in :)

Re:

[bleedingobvious]

Pffft. Rookies

Mine runs a couple of physical notepads I hide under the mattress!

Doing dumb things and bragging about it is the new coffee?

Re:

[cusco]

If it ain't broke don't fix it. My coworker had to test a fully-analog fire alarm system in an apple warehouse run by water power and a Model T (literally) generator, another tested an air-pressure based fire alarm, there is a farmer in eastern Washington who runs his irrigation system with a 1930s Harley pan-head engine, until recently there were a bunch of radio towers in the Puget Sound area for which the control software would only work on a 386 running DOS 3. The winner that I know of is an Oregon sa

Re:

[vbdasc]

Very funny, but unlike your mattresses and cookie jars, my network runs an actual MS SQL Server, which was bleeding edge 27 or 28 years ago.

Re:

[ElimGarak000]

My old SQL Server runs in a IPX/SPX network. I invite all hax0rz to try to break in :)

I'll just be sitting here waiting for someone to mention token ring.

Re:

[OrangeTide]

I ain't rich enough for Token Ring. It's all ARCnet up in here.

Re:

[vbdasc]

Too bad that there is TCP/IP for Token Ring, and possibly for Arcnet too. Your systems would be still vulnerable, even if you're using TCP/IP over twinax or current loop.

Re:

[cusco]

I once maintained a restaurant Point of Sale system that ran all the terminals on NetBEUI. The vendor liked not having to worry about the network being hacked from outside.

Re:

[vbdasc]

If you mean NetBEUI in Microsoft parlance (a.k.a. NBF) then yes, it's a solid choice for networks, but... unlike IPX/SPX, it's not routable. Your network is basically limited to one network segment, subject to broadcast storms and other unpleasantries.

Re:

[cusco]

Yes, that was the point. They didn't want the terminals to be available to the great wide world if the network got hacked, so all they had to worry about was security on the server (which was *annoyingly* secure).

Re:

[eneville]

Meh. Sqlite.

Re:

[NotEmmanuelGoldstein]

... they’re so old.

People whinge about Biden but he is achieving much, such as modernizing the US government, a mind-boggling massive task. Most of the changes are in the back-office but a front-end consequence is a federal web-site for doing federal taxes online.

Re:

[F.Ultra]

yeah but at least he isn't Trump, that would have been even worse.

Re:

[packrat0x]

modernizing the US government

That's not Biden, that's the US Congress.

federal web-site for doing federal taxes online.

The IRS was working on that idea back in the Obama years. It took a great deal of testing since the IRS would get epic blame if something went wrong (versus 3rd party preparers). Plus, Congress moves slowly.

Re:

[cusco]

Yes, but only a Democrat could make it acceptable to doctrinaire Liberals. The same with provoking not one but two nuclear powers, including openly threatening to attack their forces, if anyone but the Dem 'old guard' had proposed much less done such a thing we'd be screaming bloody murder. Instead we're closer to nuclear war than any time since the Cuban Missile Crisis, and no one seems to notice.

Re:

[cusco]

Ah, but he didn't claim to be a peace-loving Liberal, and the media didn't even try to convince people of that absurdity. While I loathe the bastard he's at least honest about be a bottom-feeding scum sucker, unlike the bottom-feeding scum sucker currently in the Oval Office.

Re:

[geekmux]

... they’re so old.

People whinge about Biden but he is achieving much, such as modernizing the US government, a mind-boggling massive task. Most of the changes are in the back-office but a front-end consequence is a federal web-site for doing federal taxes online.

Much like the US Military numbers, they’re not downsizing because they want to.. They’re downsizing because Reality is forcing them to. Taxes fund Government budgets a hell of a lot more than printing cash does, and when you do not have the tax revenue coming in and you’re pissing away a ton of it funding an illegal invasion of the country to secure “votes” for the upcoming election, the resulting impact of that becomes obvious.

Government didn’t suddenly grow a conscienc

Re:

[i.r.id10t]

Not just corporate and greed.... same happens at colleges, universities, state/fed agency offices, etc.

In fact, I'd bet that a very large percentage of systems at various county level school boards or individual schools are out of date/unpatched/falling behind.

Re:

[geekmux]

Not just corporate and greed.... same happens at colleges, universities, state/fed agency offices, etc.

In fact, I'd bet that a very large percentage of systems at various county level school boards or individual schools are out of date/unpatched/falling behind.

Correct. And when we ironically find endowment coffers filled with billions AND outdated systems rotting on the same campus, the cause is the same. One would think they would be embarrassed enough to fix it.

Speaking of embarrassing, I wonder how many outdated unpatched Windows systems are running inside Microsoft..

If you need help persuading management to pay

[Anne Thwacks]

I am sure there are plenty of bad guys out there willing to help!

If it ain't broken....

[SuperDre]

Why need to upgrade if it is running perfectly? It's not always a newer version is running better or faster. Also it's not always that easy as other software that uses the DB has to be upgraded, changed as well, or at least tested.

Re:

[christoban]

Because, as the title says, those SQL servers have passed end of support. As in no security updates.

Re:

[SuperDre]

But it still depends on the usage is security updates are needed. If one has blocked the SQL Server from outside access then it doesn't really matter.

Re:

[christoban]

Until they hack the firewall! Where's that blinking light hack?

Who gets the reference?

Re:

[bleedingobvious]

Why need to upgrade if it is running perfectly?

To take advantage of advancements in Security, Functionality, Data integrity,...

What is it about the word UPGRADE that implies it's unnecessary and adds nothing of value?

Re:If it ain't broken....

[Anonymous Coward]

Most "upgrades" these days are not actually upgrades at all, but more about bloat, telemetry, cosmetic changes, and unnecessary breaking of things to force additional changes and extraction of more money.

Re:

[JustNiz]

>> What is it about the word UPGRADE that implies it's unnecessary and adds nothing of value? ...because we're talking about Microsoft here.

Re:

[cusco]

We can tell that you've never upgraded or migrated a major mission-critical system.

Re:

[SuperDre]

UPGRADE does not imply it is necessary.
You underestimate the cost of license to small businesses and ofcourse the cost of performing the upgrade itself.
If you're lucky you can just upgrade without having to do anything and it still runs like a charm (and maybe even better). But if there are a lot of services that connect to the databaseserver it 's already a bigger problem, especially if the service is using stuff that might be deprecated in the newer version.

I'm not saying you shouldn't upgrade, if possibl

Re:

[SuperDre]

Easy to say, but newer versions also bring problems of new bugs with it. And ofcourse it's easy to upgrade every couple of months if you're still working on the system. But if the software is sitting there with only the occasional change/bugfixes, upgrading every couple of months is just insane. Yep, easy if you have a big company with a lot of systemmaintainers and developers, but for smaller companies that might just be a too big a burden.
If you keep updating your system every couple of weeks with differe

Re:

[bloodhawk]

Security and support being the obvious things. It may not be broke now, but when it breaks do you want to spend a week on an outage because to fix it you have to spend a 5 days remediating your code before upgrading to a newer version. Those are the types of risks you run which most businesses would go ballistic at IT if they were aware of the risk.

Open source DBs have caught up

[DrXym]

I use PostgreSQL for a large cloud application and frankly I can't think of many reasons I'd want to ditch it for some proprietary, closed source database. It does what its supposed to, has excellent community support, is easy to install locally for testing / development and it's pleasant to work with.

I'm sure Oracle / MSSQL Server would work well too, and they ought to for the stupid amounts of money required for a license. But I wonder how many database deployments are just pissing money down the drain on a closed, proprietary DB (+ software auditors breathing down their necks) when an open source database would be more than adequate for the same task.

Re:

[bleedingobvious]

I use PostgreSQL for a large cloud application and frankly I can't think of many reasons I'd want to ditch it for some proprietary, closed source database.

Its raw performance is still nowhere near that of MS SQL. Not in IOPS. Not in net. Not in encryption. Not in replication.

Sometimes... performance really does matter. If it doesn't matter all that much, then sure. Go wild.

Re:

[JustNiz]

>> Its raw performance is still nowhere near that of MS SQL.

Not true at all. It completely depends on your use-case. For example, PostgresSQL handles concurrency MUCH better/faster.

Re:

[WaffleMonster]

Not true at all. It completely depends on your use-case. For example, PostgresSQL handles concurrency MUCH better/faster.

SQL Server has supported multi-version concurrency for nearly two decades and counting. You just have to turn it on.

Re:

[laffer1]

Not to mention the savings on Windows Server and SQL Server licenses buys a faster server or a larger cloud instance. You get to throw hardware at it if you're willing to spend the same amount.

Re:

[bcoff12]

Take your licensing costs and throw it at beefier hardware, and you'll end up with better performance from pg than MS SQL. And the differences aren't as stark as you make them out to be. Sure - in some cases, MS SQL does things better. But the reverse is also true.

Re:

[DrXym]

"Raw performance" doesn't make much difference unless you're hammering the thing and every last clock cycle counts. Otherwise it really doesn't matter what the theoretical maximum is, if the database keeps up with the workload. And for me, and I suspect most databases it does.

Re:

[F.Ultra]

that is really strange, of all our customers the only ones constantly having performance issues are the ones that still cling to using MSSQL while the people with PostgreSQL and MySQL/MariaDB almost never have any such issues. And they (aka the MSSQL customers) also often have beefier hardware.

Re:

[F.Ultra]

Let me clarify: they are all handling the same data, it's just that one of our products that inserts stock data into a sql server have support for MSSQL, My/MariaDB and PostgreSQL and the only ones with constant performance problems is the MSSQL people despite them often having much beefier machines.

Re:

[DrXym]

It's got millions of records for each of thousands of tenants. So it's large for what it is. It's not getting clobbered by continuous requests, or recording gene sequences or anything fancy but Postgres works and we don't have any intention of switching. We're not even using an especially large EC2 instance to host the thing so there is scope to make it faster if needs be.

Re:

[jimminy_cricket]

I agree. My company's ERP software can use PostgreSQL or IBM's db/400 (db/2 on an IBM i). We have found both work equally well. The IBM i is known for its reliability and support, but I have found damaged objects on the IBM i and have yet to ever see anything similar with PostgreSQL. IBM has the upper hand with hardware support, but running PostgreSQL on Linux is a lot cheaper and easier. A LOT cheaper. https://www.eaerich.com/ [eaerich.com] if you want to know more.

I bet it's a lot more

[drinkypoo]

Quite a bit of Windows software uses the small version of SQL Server which is distributed with it. I bet there's zillions of copies of that which are out of date and could be used to gain a foothold on a system.

Re:

[cusco]

Any AMAG security system over a decade old (and security systems tend to never get upgraded) runs on MSDE or SQL 2000, no service packs allowed. Kind of frightening when your security system is your company's largest security hole.

Re:

[Anonymous Coward]

The old SQL that ships with apps is a local only copy, it does not permit remote connections so anything exploiting it has to already be on the system.

SQL Slammer

[bobbutts]

Fun times. IIRC at the hosting company I worked for we didn't even track which customer used which OS or keep remote access to their windows boxes. We had to scramble to deal with those systems getting hacked and saturating the bandwidth. Seems like several lifetimes ago.

If the public only knew

[nehumanuscrede]

If they only knew just how old some of the equipment is that is keeping this place running, they would be terrified.

I took a screenshot of a router just last week that I found. ( large Telecom network )

It has been running non-stop, without interruption for the last twenty YEARS. :|

The last time it was rebooted was in 2003 . . . . . lol

Re:

[kriston]

I've encountered absurdly long uptimes on a weekly basis no matter where I've worked.

At AOL there was a strict rule to reboot, or "bounce" in their parlance, everything every two weeks.

Re:

[Saffaya]

My friend had a DEC unix station at home, using it as his everyday machine.
He had to reboot it three times ...
In seven years.
And that was when he updated the kernel on it IIRC.

Sucks to be successful!

[Somervillain]

SQL Server was a great DB 20 years ago. I assume it still is, just don't know first hand. However, it points to the problem with success. If you make a product "good enough," lots of people will use it...often for longer than you want them to.

It was very thoughtfully designed, had great features Oracle STILL lacks today that I found immensely useful and did EVERYTHING better than Oracle when I was using it. But more importantly, it solved business problems and was easy to administer and maintain. I have an application from that era that ended up living 20 years...so yeah, a lot of small businesses hired guys like me to write them a useful app and many of them are not IT experts or great at maintaining infrastructure...now, as a reward for making a user-friendly product that works really well, MS is in the uncomfortable position of telling folks to upgrade, knowing that if they stop supporting their product, attackers will hit the old servers and it will be bad press....even though the user didn't maintain it correctly.

Re:

[Saffaya]

"SQL Server was a great DB 20 years ago."
No.
I never understood how anyone could have used that piece of shit when you have previously used Sybase SQL.
Granted, I only had to suffer MS SQL for a leisure project and luckily not at work.
Sybase SQL: Import DB modifications, check their result on the database, and only then COMMIT the changes if satisfactory. Or Revert them if not.
MS SQL: accidently erase the content of a cell, you're fucked. There is no revert, because there is no commit.
Or tell me where it was,

DDL is not transactional in any DB I've used

[Somervillain]

...TMK. If Sybase had transactional DDL, they're ahead of SQL Sever and Oracle and TMK Postgres, MySQL, Cassandra, Mongo, etc. That's a very specific feature and I'd rather have simpler code or better performance than transactional DDL...but more importantly, you're violating several best practices:

1. Test your work...You should have tested your code on a local replica. You can do that easily in SQL Server, but not Oracle
2. Before you make changes, make a backup...you should have also done that. Su

Re:

[bleedingobvious]

MS SQL: accidently erase the content of a cell, you're fucked. There is no revert, because there is no commit.

Unadulterated garbage - ROLLBACK/COMMIT has been there for ages.

Ignorance of the tool is not a failing of the tool.

This is one advantage of cloud hosting

[Tony Isaac]

You can opt for a plan that ensures your database server is kept running on the latest version.

What's the suprise?

[Murdoch5]

Most companies have rotting, old, unsupported, EOL, and compromised crap, running somewhere. 20% of MS SQL servers being outdated, honestly sounds low, it's almost refreshing to see the number as low as 20%.

I know companies who still have Windows 3.1 and 95 VM's running, so they can support hardware that's been running since the mid 90s, which can't be replaced. What about old servers that people refuse to update, be it due to Flash support (yes that really happens), or because the old IT guy left and