A comparison of vulnerabilities in Microsoft's SQL Server database and Oracle Corp.'s relational database management (RDBM) products by U.K.-based Next Generation Security Software (NGSS) shows Oracle's products to have far more vulnerabilities than do products from Microsoft.

Between December 2000 and November 2006, external researchers discovered 233 vulnerabilities in Oracle's products compared to 59 in Microsoft's SQL Server technology, according to NGSS. The study looked at vulnerabilities that were reported and fixed in SQL Server 7, 2000 and 2005 and Oracle's database versions 8, 9, and 10g.

The results show that the reputation for relatively poor security that MS SQL server had back in 2002 is no longer deserved, said David Litchfield, founder of NGSS. And neither is the beating that Microsoft has gotten for security issues, he said.

"I think it's time people got past this, especially security researchers," Litchfield said. "We should be about closing holes and improving a vendor's outlook on security and -- largely -- that battle has been won with Microsoft," he said. The results show that Microsoft's software development lifecycle processes appear to be working, he said.

"There are other battles needing to be fought and won -- Oracle being one of them," he said.