Azure SQL 12 End of Support and PCI Compliance

Question

Hello, I have performed pentest tests on my Azure Sql servers to achieve my PCI DSS certification, to which my QSA tells me:

According to this, the installed version, the Microsoft SQL Server remote server is obsolete and is no longer maintained by its supplier or developer. The lack of support means that the vendor will not release new security patches for the product. As a result, it may contain security vulnerabilities that will never be fixed.

my deployed Version is : 12.0.2148.0,

Can you point me out to the correct version / end of life data for Azure SQL Database? I was lookin on the Microsoft pages and can only find data about on premises Sql Server verson (2012, 2016, 2019)

I need a deeper insight on this matter and a way to show that we comply with the needed support and required standards

Best Regards

Miguel C.

Answer 1

You cannot rely on @@version (SELECT @@version) to identify which version of SQL Server engine is running your Azure SQL database as it will always show version 12 and it will continue to show version 12 indefinitely. That does not mean that Azure SQL is running as a SQL Server 2014 instance.

The version of the SQL Server database engine run by Azure SQL Database is always ahead of the on-premises version of SQL Server, and includes the latest security fixes. This means that the patch level is always on par with or ahead of the on-premises version of SQL Server, and that the latest features available in SQL Server are available in Azure SQL Database.

Please read my article about this topic.