Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15139	DG0097-SQLServer9	SV-24254r1_rule	DCCT-1	Medium

Description
Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment.

Description

Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23649r1_chk )
Review policy, procedures and implementation evidence for testing DBMS installations, upgrades and patches prior to production deployment. If policy and procedures do not exist, are incomplete or evidence of implementation does not exist, this is a Finding.

Fix Text (F-24541r1_fix)
Develop, document and implement policy and procedures for testing DBMS installations, upgrades and patches prior to deployment on production systems.