The headlines about Meltdown and Spectre microprocessor vulnerabilities have somewhat subsided, but the patching...
goes on in IT shops both big and small -- creating possible SQL Server performance issues for Microsoft users.
Databases, including SQL Server, could be affected by the architectural flaws in chips widely reported at the start of the year. At risk are processors from Intel and others that use creative design to boost system performance.
As described by Google Project Zero, both Meltdown and Spectre access on-chip cache memory to create vulnerable side-channels of communication. Spectre can inject commands that divulge data. Meltdown, using simpler operations, can monitor data in memory.
In both cases, malicious code would exploit chip-level speculative code execution techniques -- ones used in many types of systems, including relational databases.
Early indications from Microsoft and others are that software patches and workarounds designed to counter Meltdown and Spectre can incur SQL Server performance issues. There are no signs of actual hacks yet, but database administrators (DBAs) have been advised to update server-side software. The fixes may lead to added processing overhead, however.
The problems are by no means limited to on-premises databases. Reports indicated that some users of SQL Server cloud versions were the first to feel the impact of Meltdown protection, when Microsoft Azure cloud patching activity caused brief blips in operations.
Patches and processing overhead
When DBAs apply updates to guard against the Meltdown and Spectre vulnerabilities, they'll have to judge for themselves how the added overhead of patches may affect their workloads. Performance degradation covering a variety of database, virtual machine, operating system and hardware combinations has been cited in some user blog entries.
But early estimates should be considered critically, according to Thomas LaRock, who serves as "head geek" at technology infrastructure management software provider SolarWinds, based in Austin, Texas. It's still early in terms of finding clarity when it comes to judging SQL Server performance issues that may be incurred by the recent Microsoft patches and workarounds to counter the two vulnerabilities, LaRock said.
"When you factor in the number of patches involved with Meltdown [and] Spectre, it's easy to understand why some people may be reporting a 30% performance hit," he said. "You could find hundreds of such claims on Reddit right now, many of them without any understanding of why such a performance hit might have been possible."
Calling 'Captain Edgecase'
Workloads, hardware, applications and code are among the variables that contribute to different performance measures. This is not to mention the human element.
"There's always one 'Captain Edgecase' in the crowd that wants everyone to know they found something different than anyone else," LaRock mused.
While waiting for chipmakers to create their own patches for Meltdown and Spectre, IT pros will have to look to patch applications not just at the database level, but at the operating system and browser levels, too.
La Rock said the basic message boils down to this: "Update all things."
Meltdown/Spectre lesson: Assess, test
Still, it's important for everyone to be able to assess their risk properly before applying patches, according to LaRock, who is a Microsoft MVP.
"To me, any risk is too much risk, and I would want to patch. But I wouldn't do so without knowing the impact, especially for mission-critical servers," he said.
The advice here is to, in LaRock's words, "test, test, test." Ned Bellavance, director of cloud solutions at technical services provider Anexinet Corp. in Blue Bell, Pa., agreed.
"There are always going to be vulnerabilities and news about vulnerabilities. So, you have to have an environment for testing patches before rolling out changes into production," said Bellavance, who is also a Microsoft MVP.
Microsoft itself said much the same thing in its support document about the vulnerabilities and the fixes it has provided for them.
Tests that Microsoft ran to measure the performance impact of fixes required in certain application scenarios found "significant degradation" on some SQL Server workloads, it said. The company recommended that users do their own performance checks before deploying the fixes. "If the performance impact of enabling these features is too high for an existing application, customers can consider whether isolating SQL Server from untrusted code running on the same machine is a better mitigation," it added.
Microsoft suggested that all users install updated versions of SQL Server and Windows Server to help mitigate the threats; doing so "should have negligible to minimal performance impact [on] existing applications," it said. Even in that case, though, it recommended that users first validate whether the performance of their SQL Server systems would be affected.
Ned Bellavancedirector of cloud solutions at Anexinet
Moving databases to the cloud doesn't relieve a DBA's responsibility for faults in system settings, Bellavance said. That is especially true in the face of vulnerabilities like Meltdown, which can exploit cloud environments that share resources like databases across virtual machines. The cloud provider can be expected to roll out fixes, but databases have to be configured to anticipate such disruptions in the status quo.
Microsoft was quick to roll out patches for SQL Server databases on its cloud, but some users experienced downtime, Bellavance said.
"People were impacted because Microsoft had to do cloud maintenance. If you didn't follow best practices for high availability, you may have had a performance hit," he said. Now is as good a time as any to review such practices, Bellavance advised.