UCF STIG Viewer Logo

An upgrade/migration plan should be developed to address an unsupported DBMS software version.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4758 DG0002-SQLServer9 SV-24115r1_rule VIVM-1 Medium
Description
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-17419r1_chk )
If the check for unsupported version (DG0001) returns an unsupported version or the installed version is within 6 mos. of a desupport notice, ask if migration plans are in progress to upgrade to a supported version. If plans are not in progress, this is a Finding.

To check version for SQL Server:

From the query prompt:

SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion'))

Where format is in major.minor.build and we only concern ourselves with the major version:

9 = SQL Server 2005

From the query prompt:

SELECT CONVERT(CHAR(3), SERVERPROPERTY('ProductLevel'))

Where value:

RTM = Original release version (no service packs installed)
SPn = Service Pack Level

View version and service pack level. If the DBMS is not at the service pack level listed for the version below and no update plan exists, this is a Finding.

Product Release (as of 1 May 2009) Mainstream Support Retired Extended Support Retired Service Pack
SQL Server 9 (2005) 04/12/2011 04/12/2016 SP3
Fix Text (F-24544r1_fix)
Apply the latest service pack (after testing) for the supported DBMS version.

Create an upgrade plan for obsolete or expiring vendor products.

As soon as an expiration date is published for the product, prepare to upgrade it.

The cost of the upgrade should be budgeted including any additional testing and development required supporting the upgrade.

A plan for testing the upgrade should also be scheduled.

Any other steps for upgrade should be included in the plan and the plan for upgrade should be scheduled for completion prior to expiration of the current product or product support contract.