UK SQL Server MVP Jasper Smith pointed out a really useful resource if you work with or are concerned about both Oracle and SQL Server. The white paper, by David Litchfield of NGS Software, comparesthe numbers of security flaws identified by external security researchers and subsequently fixed by Oracle and Microsoft in regard to their database products.
Here are some interesting quotes:
Q:Do the SQL Server 2005 results have no flaws because no-one is looking at it?
A:No - I know of a number of good researchers are looking at it - SQL Server code is just more secure than Oracle code.
Q:Why have there been so little bugs found in SQL Server since 2002?
A:Three words: Security Development Lifecycle - SDL. SDL is far and above the most important factor. A key benefit of employing SDL means that knowledge learnt after finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This means rather than remaking the same mistakes elsewhere you can guarantee that new code, whilst not necessarily completely secure, is at least more secure than the old code.