Can we secure SQL Server 2014 systems instead of paying the “security patch tax” next year?
Yes, it is possible. However, the complexity and licensing ramifications are impacted by whether it is a physical (standalone) server or it if will be run /moved to run in a virtual environment.
When SQL Server 2014 reaches end of life (EOL) on July 9, 2024, organizations must buy Extended Security Update (ESU) subscriptions to gain access to new security patches released after the EOL date. We call this the “security patch tax.” In the past, organizations have avoided ESU and associated costs by isolating and insulating systems with security measures instead of making purchases.
The three most common on-premises scenarios are:
A physical (standalone) system, using licenses with or without Software Assurance (SA), is the most straight forward with no licensing or subscription purchases required. All organizations have to do is just secure it.
An existing virtual machine (VM), using licenses without SA and “pinned” (e.g. using affinity rules) to remain on a specific host, is the same as a physical system but more complex given other VMs are being run on the same hardware.
An existing VM, using SQL Server licenses with SA, may freely roam from host-to-host in a virtual cluster, even though more security measures will need to be considered given there will be more VMs being run across all host hardware.
The most complex situation stems from changing from one scenario to another – like moving a physical system to a virtual environment – especially when multiple SQL Server instances running on a physical system are separated into individual VMs. Not only is the SA consideration required for host-to-host movement, but any new SQL Server licenses will require SA to run as a VM due to a new licensing rule. Using SQL Server 2022 licenses for a VM requires SA whether it moves or not as noted by Microsoft, “Licensing by Individual Virtual OSE [is] available for subscription licenses or licenses with active Software Assurance only.”