SQL Server Patching and SOX compliance RRS feed

  • Question

  • Hi Guys,

    I need some suggestions on how others do patching on SQL Server to comply with SOX.  

    Our process is, if microsoft releases a security update, we review the risk and patch them as soon as possible.  We do not patch CU/Service packs.  This has been fine for a few years.  But this years auditors are asking why we havent patched the CU?

    My question is, does that even apply to sox as CU's are bugfixes and functionality improvements?  


    Wednesday, January 30, 2019 9:30 PM

All replies

  • I don't know anything about SOX, but you should generally apply Service Packs for 2016 and earlier. For SQL 2017, there are no service packs, but you should apply the CUs. Maybe not all every month, but if you are at RTM at this point, you are definitely not doing it right.

    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

    Wednesday, January 30, 2019 10:53 PM
  • I have 2014 :).  Ours is a 24/7 system and running credit card like transactions.  The reason we havent applied any CU's this year is because we are focusing on migration to cloud and it take significant effort from QA's and DBA's to test these thoroughly as we have sub 50 ms transaction times and the system is very sensitive,  so we didnt want to make any changes unless we absolutely have to.  
    Thursday, January 31, 2019 1:53 AM
  • You absolutely have to. If someone gets in or something goes wrong because the instance isn't patched it will take more than 'significant effort' to resolve.

    We patch windows every month. If there is a sql server security patch it's applied within the month, and possibly a lot quicker. We apply non-security service packs/hotfixes/cumulative updates at regular intervals to test instances first then to production.


    Tuesday, February 5, 2019 1:44 PM