What are Extended Security Updates for SQL Server?
This article provides information for using the SQL Server registry service to receive Extended Security Updates for SQL Server 2008 and SQL Server 2008 R2. For more information about other options, see End of support options.
Once SQL Server has reached the end of its support lifecycle, you have the option to sign-up for an Extended Security Update (ESU) subscription for your servers and remain protected for up to three years, until you are ready to upgrade to a newer version of SQL Server or migrate to Azure SQL Database. This subscription is available in two ways:
- Can be purchased for your on-premises or hosted environment servers.
- Free and enabled by default when migrating on-premises servers to Azure Virtual Machines. You can then use the SQL Server registry service in the Azure portal to register your end-of-support SQL Server instance and download updates when they are made available.
Microsoft recommends applying ESU patches as soon as they are available to keep your SQL Server instance protected. For detailed information about ESUs, see the ESU FAQ page.
Extended support for SQL Server 2008 and SQL Server 2008 R2 ended on July 10, 2019. For these versions, consider using Extended Security Updates described in this article or other migration options. For more information, see End of support options.
What are Extended Security Updates
Extended Security Updates (ESUs) for SQL Server 2008 and SQL Server 2008 R2 include provision of security updates for customers who have purchased an Extended Support Update subscription.
ESUs are made available if needed, once a security vulnerability is discovered and is rated as Critical by the Microsoft Security Response Center (MSRC). Therefore, there is no regular release cadence for SQL Server ESUs.
ESUs do not include:
- New features
- Functional improvements
- Customer-requested fixes
ESUs do not include technical support, but you can use an active support contract such as Software Assurance or Premier/Unified Support on SQL Server 2008 / SQL Server 2008 R2 to get technical support on workloads covered by ESUs if you choose to stay on-premises. Alternatively, if you're hosting on Azure, you can use an Azure Support plan to get technical support.
Microsoft cannot provide technical support for SQL Server 2008 and SQL Server 2008 R2 instances (both on-premises, and in hosting environments) that are not covered with an ESU subscription.
ESU Availability and Deployment
ESUs are available to customers running their workload in Azure, on-premises, or hosted environments.
Azure Virtual Machines
If you migrate your workloads to Azure Virtual Machines (IaaS), you will have access to Extended Security Updates for SQL Server 2008 and SQL Server 2008 R2 for up to three years after the End of Support, at no additional charges above the cost of running the virtual machine. Customers do not need Software Assurance to receive Extended Security Updates in Azure.
Azure Virtual Machines running SQL Server on Windows Server 2008 R2 and greater will receive ESUs automatically through existing SQL Server update channels, when the virtual machine is configured to use automated patching.
Azure Virtual Machines (VMs) running SQL Server on Windows Server 2008 or VMs that have not been configured for automated patching will need to manually download and deploy ESU patches as described in the on-premises or hosted environments section.
On-premises or hosted environments
If you have Software Assurance, you can purchase a Extended Security Update (ESU) subscription for up to three years after the End of Support date, under an Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), or an Enrollment for Education Solutions (EES). You can purchase ESUs only for the servers you need to cover. ESUs can be purchased directly from Microsoft or a Microsoft licensing partner.
Customers covered by ESU agreements must follow these steps to download and deploy an ESU patch:
- Register eligible instances with the SQL Server registry.
- Once registered, whenever ESU patches are released, a download link will be available in the Azure portal to download the package.
- The downloaded package can be deployed to your on-premises or hosted environments manually, or through whatever update orchestration solution is used in your organization, such as Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager).
This is also the process that customers will need to follow for Azure Stack and Azure Virtual Machines that are not configured to receive automatic updates.
For more information, see the Extended Security Updates frequently asked questions.
Create SQL Server registry
To register your ESU-enabled SQL Server instances, you'll first need to create the SQL Server registry in the Azure portal.
It's not necessary to register SQL Server instances for ESUs when running an Azure Virtual Machine that is configured for automatic updates.
To create the SQL Server registry, follow these steps:
Sign into the Azure portal.
Select the option to Create a resource.
SQL Server registryin the search box.
Choose the SQL Server registry option published by Microsoft, and then select Create.
Under Project Details, choose your subscription from the drop-down. Then either choose an existing Resource group or select Create new to create a new resource group for your new SQL Server registry service.
Under Service Details, provide a name and region for your new SQL Server registry resource:
Select Review + create to review the details for your SQL Server registry. Select Create once validation has passed.
Register instances for ESUs
After the SQL Server registry resource is deployed, you can choose to register a single SQL Server instance, or you can register a multiple instances of SQL Server instances in bulk. It's required that at least one SQL Server instance is registered in the scope of your SQL Server registry in order to download any ESU packages.
Single SQL Server instance
To register a single SQL Server instance, follow these steps:
Sign into the Azure portal.
Go to your SQL Server registry resource.
Select + Register from the Overview pane:
Provide the required information as is detailed in this table, and then select Register:
Value Description Instance Enter the output of command
SELECT @@SERVERNAME, such
SQL Version Select either 2008 or 2008 R2 from the drop-down. Edition Select the applicable edition from the drop-down: Datacenter, Developer (free to deploy if purchased ESUs), Enterprise, Standard, Web, Workgroup. Cores Enter the number of cores for this instance Host Type Select the applicable host type from the drop-down: Virtual machine (on-premises), Physical Server (on-premises), Azure Virtual Machine, Amazon EC2, Google Compute Engine, Other. SubscriptionID1 Enter the SubscriptionID where the VM is created. Resource Group1 Enter the resource group where the VM is created. Azure VM name1 Enter the VM resource name. Azure VM operating system1 Select the applicable Windows Server operating system version from the drop-down.
1 Only necessary for Azure virtual machines.
The newly registered SQL Server instance is now visible in the Register SQL Server instances section of the Overview pane:
Once a SQL Server instance has been registered, the Security Updates section becomes available. Any available ESUs will be posted there.
Multiple SQL Server instances in bulk
Multiple SQL Server instances can be registered in bulk by uploading a .CSV file. Once your .CSV file has been formatted correctly, you can follow these steps to bulk register your SQL Server instances with the SQL Server registry resource:
Sign into the Azure portal.
Go to your SQL Server registry resource.
Select Bulk Register from the Overview pane:
Select the file icon to browse to your .CSV file location. Select the .CSV file. Then select Register to upload the file and register multiple instances of SQL Server.
Formatting requirements for CSV file
- Values are comma-separated
- Values are not single or double-quoted
- Column names are case-insensitive but must be named as below:
1 Only necessary for Azure Virtual Machines.
CSV Example 1 - on-premises
For on-premises SQL Server instances, the CSV file should look like this:
name,version,edition,cores,hostType Server1\SQL2008,2008,Enterprise,12,Physical Server Server1\SQL2008R2,2008 R2,Enterprise,12,Physical Server Server2\SQL2008R2,2008 R2,Enterprise,24,Physical Server Server3\SQL2008R2,2008 R2,Enterprise,12,Virtual Machine Server4\SQL2008,2008,Developer,8,Physical Server
Refer to MyPhysicalServers.csv for a CSV file example.
CSV Example 2 - Azure VM
For Azure Virtual Machine SQL Server instances, the CSV file should look like this:
name,version,edition,cores,hostType,subscriptionId,resourceGroup,azureVmName,azureVmOS ProdServerUS1\SQL01,2008 R2,Enterprise,12,Azure Virtual Machine,61868ab8-16d4-44ec-a9ff-f35d05922847,RG,VM1,2012 ProdServerUS1\SQL02,2008 R2,Enterprise,24,Azure Virtual Machine,61868ab8-16d4-44ec-a9ff-f35d05922847,RG,VM1,2012 ServerUS2\SQL01,2008,Enterprise,12,Azure Virtual Machine,61868ab8-16d4-44ec-a9ff-f35d05922847,RG,VM2,2012 R2 ServerUS2\SQL02,2008,Enterprise,8,Azure Virtual Machine,61868ab8-16d4-44ec-a9ff-f35d05922847,RG,VM2,2012 R2 SalesServer\SQLProdSales,2008 R2,Developer,8,Azure Virtual Machine,61868ab8-16d4-44ec-a9ff-f35d05922847,RG,VM3,2008 R2
Refer to MyAzureVMs.csv for an Azure VM targeted CSV file example.
For Transact-SQL and PowerShell example scripts that can generate the required SQL Server instance registration information into a .CSV file, see ESU registration script examples.
Once your SQL Server instances have been registered with the SQL Server registry service, you can download the Extended Security Update packages using the link found in the Azure portal, if and when they are made available.
To download ESUs, follow these steps:
Sign into the Azure portal.
Go to your SQL Server registry resource.
Select Security Updates on the navigation pane.
Download security updates from here, if and when they are made available.
Configure regional redundancy
Customers that require regional redundancy for their SQL Server registry can create registration data in two distinct regions. Customers can then download security updates from either region based on SQL Server registry service availability.
For regional redundancy, the SQL Server registry service has to be created in two different regions, and your SQL Server inventory has to be split between these two services. This way, half of your SQL Servers are registered with the registry service in one region, and then the other half of your SQL Servers are registered with the registry service in the other region.
To configure regional redundancy, follow these steps:
Split your SQL Server 2008 or 2008 R2 inventory into two files, such as upload1.csv and upload2.csv.
Create the first SQL Server registry service in one region, and then bulk register one of the csv files to it. For example, create the first SQL Server registry service in the West US region, and bulk register your SQL Servers using the upload1.csv file.
Create the second SQL Server registry service in the second region, and then bulk register the other csv file to it. For example, create the second SQL Server registry service in the East US region, and bulk register your SQL Servers using the upload2.csv file.
Once your data has been registered with the two different SQL Server registry resources, you will be able to download security updates from either region, based on service availability.
General frequently asked questions about Extended Security updates can be found at the Extended security updates FAQ. SQL Server-specific frequently asked questions are listed below.
When was the End of Support for SQL Server 2008 and 2008 R2?
The End of Support date for SQL Server 2008 and SQL Server 2008 R2 was July 9, 2019.
What does End of Support mean?
Microsoft Lifecycle Policy offers 10 years of support (5 years for Mainstream Support and 5 years for Extended Support) for Business and Developer products (such as SQL Server and Windows Server). As per the policy, after the end of the Extended Support period there will be no patches or security updates, which may cause security and compliance issues, and expose customers' applications and business to serious security risks.
What editions of SQL Server are eligible for Extended Security Updates?
Enterprise, Datacenter, Standard, Web, and Workgroup editions of SQL Server 2008 and SQL Server 2008 R2 are eligible for Extended Security Updates for both x86 and x64 versions.
When will the Extended Security Updates offer be available?
Extended Security Updates are now available for purchase and can be ordered from Microsoft or a Microsoft licensing partner. The delivery of Extended Security Updates will begin after the End of Support dates, if and when available. Customers interested in migrating to Azure can do so immediately.
What do Extended Security Updates include?
Extended Security Updates include provision of Security Updates and Bulletins rated critical by the Microsoft Security Response Center (MSRC), for a maximum of three years after July 9, 2019. Extended Security Updates will be distributed if and when available. Extended Security Updates do not include technical support, but you may use other Microsoft support plans to get assistance on your SQL Server 2008 and SQL Server 2008 R2 questions on workloads covered by Extended Security Updates. Extended Security Updates do not include new features, functional improvements, nor customer-requested fixes. However, Microsoft may include non-security fixes as deemed necessary.
Why do Extended Security Updates for SQL Server 2008 and 2008 R2 only offer "critical" updates?
For End of Support events in the past, SQL Server provided only Critical Security Updates, which meets the compliance criteria of our enterprise customers. SQL Server does not ship a general monthly security update. Microsoft only provides on-demand SQL Server security updates (GDRs) for MSRC bulletins where SQL Server is identified as an affected product. If there are situations where new SQL Server important updates will not be provided and it is deemed critical by the customer but not by MSRC, we will work with the customer on a case-by-case basis to suggest appropriate mitigation.
What Licensing programs are eligible for Extended Security Updates?
Software Assurance customers can purchase Extended Security Updates on-premises under an Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), or an Enrollment for Education Solutions (EES). Software Assurance does not need to be on the same enrollment.
Do SQL Server customers need to be running the most current Service Pack to benefit from Extended Security Updates?
Yes, customers need to run SQL Server or Windows Server 2008 and 2008 R2 with the latest Service Pack to apply Extended Security Updates. Microsoft will only produce updates which can be applied on the latest Service Pack.
What are the options for SQL Server customers without Software Assurance?
For customers who do not have Software Assurance, the alternative option to get access to Extended Security Updates is to migrate to Azure. For variable workloads, we recommend that customers migrate on Azure via Pay-As-You-Go, which allows for scaling up or down at any time. For predictable workloads, we recommend that customers migrate to Azure via Server Subscription and Reserved Instances.
Does this offer also apply to SQL Server 2005?
No. For these older versions, we recommend upgrading to the most current versions, but customers could upgrade to SQL Server 2008 or SQL Server 2008 R2 versions to take advantage of this offer.
Can I deploy a brand new SQL Server 2008 or 2008 R2 instance on Azure and still get Extended Security Updates?
Yes, customers can start a new SQL Server 2008 or SQL Server 2008 R2 instance on an Azure Virtual Machine and have access to Extended Security Updates.
Can I get technical support on-premises for SQL Server 2008 or 2008 R2 after the End of Support date, without purchasing Extended Security Updates?
No. If a customer has SQL Server 2008 or SQL Server 2008 R2 and chooses to remain on-premises during a migration without Extended Security Updates, they cannot log a support ticket, even if they have a support plan. If they migrate to Azure, however, they can get support using their Azure Support Plan.
If a SQL Server 2008 and 2008 R2 customer wants to bring their own license (BYOL), are they required to have Software Assurance coverage?
Yes, customers need to have Software Assurance to take advantage of the BYOL program for SQL Server on Azure Virtual Machines as part of the License Mobility program. For customers without Software Assurance, we recommend customers move to Azure SQL Managed Instance for their SQL Server 2008 environments. Customers can also migrate to pay-as-you-go Azure Virtual Machines. Software Assurance customers who license SQL by core also have the option of migrating to Azure using the Azure Hybrid Benefit (AHB).
Azure SQL Managed Instance is a service in Azure providing nearly 100% compatibility with SQL Server on-premises. Managed Instance provides built-in high availability/disaster recovery capabilities plus intelligent performance features and the ability to scale on the fly. Managed Instance also provides a version-less experience that takes away the need for manual security patching and upgrades. See the Azure pricing guidance page for more information on the BYOL program.
What options do customers have to run SQL Server in Azure?
Customers can move legacy SQL Server environments to Azure SQL Managed Instance, a fully managed data platform service (PaaS) that offers a "version-free" option to eliminate concerns with End of Support dates, or to Azure Virtual Machines to have access to Security Updates. The migrated databases will retain their compatibility with the legacy system. For more information, see Compatibility Certification.
Extended Security Updates will be available for SQL Server 2008 and SQL Server 2008 R2 in Azure Virtual Machines after the End of Support date of July 9, 2019, for the next three years. For customers looking to upgrade from SQL Server 2008 and SQL Server 2008 R2, all subsequent versions of SQL Server will be supported. For SQL Server 2012 (11.x) through SQL Server 2016 (13.x), customers are required to be on the latest supported Service Pack. Starting with SQL Server 2017 (14.x), customers are advised to be on the latest Cumulative Update. Note that Service Packs will not be available starting with SQL Server 2017 (14.x), only Cumulative Updates and General Distribution Releases (GDRs).
Azure SQL Managed Instance is an instance-scoped deployment option in SQL Database that provides the broadest SQL Server engine compatibility and native virtual network (VNET) support, so you can migrate SQL Server databases to Managed Instance without changing apps. It combines the rich SQL Server surface area with the operational and financial benefits of an intelligent, fully managed service. Leverage the new Azure Database Migration Service to move SQL Server 2008 and SQL Server 2008 R2 to Azure SQL Managed Instance with few or no application code changes.
Can customers leverage the Azure Hybrid Benefit for SQL Server 2008 and 2008 R2 versions?
Yes, customers with active Software Assurance or equivalent Server Subscriptions can leverage the Azure Hybrid Benefit using existing on-premises license investments for discounted pricing on SQL Server running on Azure SQL Database and Azure Virtual Machines.
Can customers get free Extended Security Updates on Azure Government regions?
Yes, Extended Security Updates will be available on Azure Virtual Machines on Azure Government regions.
Can customers get free Extended Security Updates on Azure Stack?
Yes, customers can migrate SQL Server and Windows Server 2008 and SQL Server 2008 R2 to Azure Stack and receive Extended Security Updates for no additional cost after the End of Support dates.
For customers with a 2008 and 2008 R2 SQL cluster using shared storage, what is the guidance to migrating to Azure?
Azure does not currently support shared storage clustering. For advice on how to configure a highly available SQL Server instance on Azure, refer to the SQL Server High Availability guide.
Can customers leverage Extended Security Updates for SQL Server with a third-party hoster?
Customers cannot leverage Extended Security Updates if they move their SQL Server 2008 environment to a PaaS implementation on other cloud providers. If customers are looking to move to virtual machines (IaaS), they can leverage License Mobility for SQL Server via Software Assurance to make the move, and purchase Extended Security Updates from Microsoft to manually apply patches to the SQL Server 2008 instances running in a VM (IaaS) on an authorized SPLA hoster's server. However, free updates in Azure is the more attractive offer.
What are the best practices for enhancing performance of SQL Server in Azure virtual machines?
For advice on how to optimize performance for SQL Server on Azure virtual machines, see the SQL Server optimization guide.
- SQL Server 2008 / 2008 R2 lifecycle page
- SQL Server 2008 / 2008 R2 end of support page
- Extended Security Updates frequently asked questions (FAQ)
- Microsoft Security Response Center (MSRC)
- Manage Windows updates by using Azure Automation
- SQL Server VM automated patching
- Microsoft Data Migration Guide
- Azure migrate: lift-and-shift options to move your current SQL Server 2008 / 2008 R2 into an Azure VM
- Cloud adoption framework for SQL migration
- ESU-related scripts on GitHub