An upgrade/migration plan should be developed to address an unsupported DBMS software version.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4758	DG0002-SQLServer9	SV-24115r1_rule	VIVM-1	Medium

Description
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-17419r1_chk )
If the check for unsupported version (DG0001) returns an unsupported version or the installed version is within 6 mos. of a desupport notice, ask if migration plans are in progress to upgrade to a supported version. If plans are not in progress, this is a Finding. To check version for SQL Server: From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build and we only concern ourselves with the major version: 9 = SQL Server 2005 From the query prompt: SELECT CONVERT(CHAR(3), SERVERPROPERTY('ProductLevel')) Where value: RTM = Original release version (no service packs installed) SPn = Service Pack Level View version and service pack level. If the DBMS is not at the service pack level listed for the version below and no update plan exists, this is a Finding. Product Release (as of 1 May 2009) Mainstream Support Retired Extended Support Retired Service Pack SQL Server 9 (2005) 04/12/2011 04/12/2016 SP3

Check Text ( C-17419r1_chk )

If the check for unsupported version (DG0001) returns an unsupported version or the installed version is within 6 mos. of a desupport notice, ask if migration plans are in progress to upgrade to a supported version. If plans are not in progress, this is a Finding.

To check version for SQL Server:

From the query prompt:

SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion'))

Where format is in major.minor.build and we only concern ourselves with the major version:

9 = SQL Server 2005

From the query prompt:

SELECT CONVERT(CHAR(3), SERVERPROPERTY('ProductLevel'))

Where value:

RTM = Original release version (no service packs installed)
SPn = Service Pack Level

View version and service pack level. If the DBMS is not at the service pack level listed for the version below and no update plan exists, this is a Finding.

Product Release (as of 1 May 2009) Mainstream Support Retired Extended Support Retired Service Pack
SQL Server 9 (2005) 04/12/2011 04/12/2016 SP3

Fix Text (F-24544r1_fix)
Apply the latest service pack (after testing) for the supported DBMS version. Create an upgrade plan for obsolete or expiring vendor products. As soon as an expiration date is published for the product, prepare to upgrade it. The cost of the upgrade should be budgeted including any additional testing and development required supporting the upgrade. A plan for testing the upgrade should also be scheduled. Any other steps for upgrade should be included in the plan and the plan for upgrade should be scheduled for completion prior to expiration of the current product or product support contract.

Fix Text (F-24544r1_fix)

Apply the latest service pack (after testing) for the supported DBMS version.

Create an upgrade plan for obsolete or expiring vendor products.

As soon as an expiration date is published for the product, prepare to upgrade it.

The cost of the upgrade should be budgeted including any additional testing and development required supporting the upgrade.

A plan for testing the upgrade should also be scheduled.

Any other steps for upgrade should be included in the plan and the plan for upgrade should be scheduled for completion prior to expiration of the current product or product support contract.