What we can Learn from Two Linux vs. Microsoft Studies

Two white papers that compared two platforms, Microsoft and Linux, have been generating a bit of buzz lately. The papers are the result of tests conducted by Security Innovation, a provider of application software services, and are dated June and November of 2005. The first one is titled “Role Comparison Security Report – Database Server Role.” It compares the relative security of three different platforms used for the database server role:

• Microsoft Windows Server 2003 running Microsoft SQL Server 2000 Service Pack 3 database server.
  
• Red Hat Enterprise Linux 3.0 running MySQL database server.
  
• Red Hat Enterprise Linux 3.0 running Oracle 10g database server.

Databases are vital to practically every business these days, and with so much more of a business’ information available online, security is an increasingly important consideration. Many companies must weigh the cost of a particular solution, but this kind of study can tell them whether they are making a decision that will be a false economy down the road.

The second paper is titled “Reliability – Analyzing Solution Uptime as Business Needs Change.” Its goal was to examine reliability and manageability differences between Linux- and Windows-based solutions. Security Innovation created an e-commerce scenario in which experienced administrators started from either Windows Server 2000 or Novell SuSe Enterprise Linux 8, then had to upgrade to Windows Server 2003 or Novell SuSe Enterprise Linux 9, respectively.

Any administrator will tell you that upgrades can stress the system (to say nothing of administrators!). This is one of a number of reasons that upgrading gets put off. Eventually, it must be done, though, and everyone hopes for the seamless, relatively invisible upgrade where everything just works and the system is down for as short a period of time as possible. Again, there is no question that this is the kind of study that many business owners should find useful to their decision making process.

There are, however, certain questions about the two studies. They were conducted by an “independent” company – the aforementioned Security Innovation. But both studies were paid for by Microsoft. Also, if you check out SI’s partner’s list on their website, it mentions Microsoft – but no open source related companies. You could stretch a point by saying that IBM and HP are on the list, but Novell and Red Hat are conspicuously absent. Not to put too fine a point on it, that would lead me to wonder just how “independent” this study really was. It certainly calls for a closer look.