Protecting core infrastructure components like SQL Server is certainly one of the database professional first priorities. However, for those businesses still running SQL Server 2008/R2, that’s become a problem. Microsoft’s last day of service for SQL Server 2008 and SQL Server 2008 R2 was July 9, 2019. That means there will no longer be any security updates for those releases. Any installed SQL Server 2008/R2 instances will continue to run but they’re potentially open to new security vulnerabilities and Microsoft will no longer offer technical support for them. This applies to both SQL Server 2008 and SQL Server 2008 R2 – even though they released nearly two years apart.
Essential SQL Server 2008/R2 DR Safeguards
The end-of-service for SQL Server 2008/R2 has some important ramifications for both on-going operations and data protection. Now that support has ended it’s more important than ever to make sure your SQL Server deployments are protected. You absolutely need to immediately test your backup and disaster recovery (DR) plans to make certain that they both work. As there are no more security patches you especially need to make sure that you can restore an operational instance of your SQL Server 2008/R2 servers in the event that they are hit with a malware or ransomware attack. Keeping an offsite backup or replica of the server is vital in order to ensure that the backups and/or replicas cannot be corrupted by worms that can spread through the network. You also need to ensure that your antivirus (AV) protection is current.
What do you do if you’re stuck with SQL Server 2008/R2?
In an ideal world, organizations would upgrade before their core infrastructure products like SQL Server reached their end-of-service. While most organizations have already upgraded to a newer version of SQL Server, not all businesses are able to for a variety of reasons. Sometimes they rely on third-party applications that cannot be changed or perhaps there are simply no resources to perform the upgrade.
Of course, you can continue running SQL Server 2008/R2 as-is and hope for the best. Alternatively, Microsoft does offer a couple of options to help an organization that is unable to upgrade. First, you can pay for Extended Security Updates which will add three years of critical security updates from Microsoft. This option requires that you have Software Assurance (SA) coverage as well as requiring payment of 75% of the current SQL Server licensing costs.
Alternatively, Microsoft also offers an option to move your SQL Server 2008/R2 workload to an Azure VM where you can get free Extended Security Updates support for three years. This option also requires SA. The Azure Hybrid Benefit program can provide discounts on Azure VM hosting costs. You can learn more about Microsoft options to extend support for SQL Server 2008/R2 at Extended Support for SQL Server 2008.
Ensuring Disaster Recoverability for SQL Server 2008/R2
If you’re currently running SQL Server 2008/R2 then it would certainly be best to make plans to upgrade as soon as you feasibility can or if you can’t upgrade then you might consider purchasing one of Microsoft’s extended support offerings. In the meantime, since your systems will be potentially vulnerable to new threats the ability to restore your systems becomes of paramount importance. Test your database backups, test your DR plan’s ability to restore your SQL Server 2008/R2 instances, be sure to keep air-gapped backups or VM replicas and of course be sure you have followed the security best practices by using strong passwords, a firewall, AV and keeping up with current security alerts.
On a similar note, Windows Server 2008 and Windows Server 2008 R2 will hit their end-of-service date on January 14, 2020 so if you’re running that older OS you’ll also need to plan for how to handle that event.