The nature of the projects that we undertake here can make it difficult to apply some key development principles. A particularly large obstacle has proven to be multiple developer projects…or lack thereof. Please don’t lecture me on the evils of this approach as I know the price that we pay for our sins. In fact when I first came on board here some 16 months ago this was the first thing that I changed (where I could) and it has had a more significant impact on the quality of our software than anything else that we have done.

And this fact was underlined by what we have achieved during the past week. In terms of quality and quantity I have not seen such a high level of output for a significant period of time. We challenged and supported each other and we had a bunch of fun too. Thanks guys – you rock!

http://blogs.technet.com/andrew/archive/2008/06/06/sql-server-2008-rc0.aspx

Good to see this started.  I like that it is RC0 (RC-Zero) and not RC1.

It is clear (and stated) that other RDBMS vendors will follow suit as MS has provided a fundamentally pluggable model for vendors to integrate their DBs into Visual Studio with a provider model. Can you smell Oracle, boys and girls? I can. Gert is being vague about who they are working with. MySQL will be cool.

There are several levels of extensibility:

• DB Provider
• This is the actual connectivity to your own RDBMS. This provider is responsible for talking to the VS model layer for the DB project and translating between your DB and the model.
• VS Features
• The ability to alter features in Visual Studio, like:
• Refactorings available for a given provider.
• Syntax highlighting
• language formatting rules for reverse engineering operations
• Static analysis rules for your particular SQL language
• Yes, you get static analysis rules for TSQL. This is the death clock for select * from …
• Static analysis in BD2 SQL may be different than that in MS TSQL
• You can write your own static analysis rules in .Net by inheriting from the provided Rule class or *yeah* implementing an interface (are we hearing a theme out of MS?) I suppose if your company were anal enough, you could actually implement your proprietary naming convention rules as static analysis rules. Gert actually did this is an demo by writing a rule that checked column names to ensure they were in Pascal case. Neato. The funny part is when some of the developers in the room started telling him how his demo code could be refactored. Lol.
• Model Extensibility
• VS actually works against a model of the data store and lets the provider do the translation.
• Using the model paradigm for DB development provides full round trip model to implementation support for any given DB.
• Gert actually showed a little command line app that looked at a Northwind DB in Access and a different Northwind DB in SQL Server and compared them. There would be very different SQL syntaxes if we were simply comparing creation scripts. The DBs showed as the same. More accurately, the models checked as the same. Cool.
• So, I could script the process of taking a DB2 database and migrating it to SQL Server, or visa versa, in this model paradigm.

This session signaled several things to me.

1. MS products really are being designed with extensibility and integration in mind. No really, this time.
2. The Data Dude model of working with databases has genuine merit. The days of SSMS (SQL Server Management Studio) and the Query Analyzer fan base are numbered. Treating DBAs as developers really is a better model.
3. Something different is occurring at MS with the changing of the guard.

That one left us scratching our heads.  Luckily we have top notch security in place, so we were able to log in as him as well (without him knowing, and without knowing his password).

Hint: use forms authentication and write your own membership provider on a mirrored production site that no one outside of IT knows about.

When we log in as him we also get a timeout.  OK, time to fire up SQL Server Query Profiler and see what is going on…which doesn’t take long.  We see the query, a stored procedure really, taking +30 seconds to run.  When we log in as a different user it takes less than one second.  In fact we can log in as any other user and it takes less than one second.

Next step, dissect the query.  We pull the query out of the stored proc (it isn’t that complicated of a query) and run it from Management Studio with John Doe’s info.  ~1 second.

WHAT??!!!

My coworker did some web searching and stumbled on the answer (Google to the rescue, giving us answers even when we really don’t know the question): SQL Parameter Sniffing.

WHAT??!!!

The rundown is that when SQL Server compiles the query and creates the execution plan, if you pass parameters from the stored procedure call directly into the query, SQL Server will use the values passed in to “influence” the query plan.  That can be a bad thing.  Here is the Microsoft definition:

“Parameter sniffing” refers to a process whereby SQL Server’s execution environment “sniffs” the current parameter values during compilation or recompilation, and passes it along to the query optimizer so that they can be used to generate potentially faster query execution plans. The word “current” refers to the parameter values present in the statement call that caused a compilation or a recompilation.

Luckily the fix is easy.  Take your stored procedure that looks like this (generalizing a query here:

   1: CREATE PROCEDURE MyProcedure

   2:     @UserName nvarchar(20)

   3: AS

   4: BEGIN

   5:     -- Insert statements for procedure here

   6:     SELECT DisplayName, FirstName, LastName 

   7:     FROM dbo.User

   8:     WHERE UserName = @UserName

   9: END

And change it to this:

   1: CREATE PROCEDURE MyProcedure

   2:     @UserName nvarchar(20)

   3: AS

   4: BEGIN

   5:     DECLARE @myUserName nvarchar(20)

   6:     SET @myUserName = @UserName

   7:     -- Insert statements for procedure here

   8:     SELECT DisplayName, FirstName, LastName 

   9:     FROM dbo.User

  10:     WHERE UserName = @myUserName

  11: END

Look on lines 5,6, and 10 for changes.

What did I really do?  I once again proved that any programming problem can be solved with another layer of indirection.  Really. 

For some strange reason, when you pass the parameters (@UserName in this case) to a local variable (@myUserName) SQL Server will no longer use the value of the parameter (@UserName) to influence the query plan.

If you don’t believe me (and really, you shouldn’t ever believe the word of just one person), do a Google search on SQL Parameter Sniffing. 

We tried it, tested it, did a performance check on it, it worked.  But this now goes onto the top of my “Strange fixes for SQL Server” stack.

Other references:

• Parameter Sniffing & Stored Procedures Execution Plan, SQL Garbage Collector
• How to Disable Parameter Sniffing in SQL Server 2005, Glenn Berry
• Tips, Tricks, and Advice from the SQL Server Query Optimization Team

A typical example is the 1 month turnaround cycle for a new stored proc resulting in the inclusion by a developer of a "secret" stored proc that will execute whatever SQL sent to it as a string. I bring this up only because I know it is a less talked about, but very real.

The exact opposite of SQL Injection is (named by me) SQL Ejaculation. SQL Ejaculation is the practice of DBAs trying to insert their idea of view logic into an application via stored procedures.

Here is a classic example of SQL Ejaculation.

CREATE PROCEDURE sp_getCustomers
AS
SELECT "<tr><td>" + FirstName + "</td><td>" + LastName + "</td></tr>"
FROM Customer

And before you even ask, yes, people really do this. In fact, when I learned how to do it 15 years ago or so, I thought it was kind of cool. We all grow wiser, right?

How many of us work in a time-boxed release schedule with no apparent logical reason given for shipping on a particular date? The fact that Microsoft is choosing to take the hit in revenue and reputation to deliver something better, but later, should give us all heart. In an industry where quality is often forsaken for time-to-market, I will take quality any day.

One of my favorite quotes on the subject (who said it, I don’t know) is, "Customers will forget that you delivered late. They will always remember that you delivered crap."