Given that NGS Software participated in Microsoft's Security Development Lifecycle  and your paper is already being referenced by Microsoft employees , the following question should be addressed to ensure the comparison is fair: Did NGS Software find any bugs in a version of SQL Server mentioned in the paper (7, 2005, and 2005) during a private security audit which were disclosed to Microsoft and fixed without being mentioned in a Microsoft security bulletin?
No. Additionally, if I was to find a bug in released code today Microsoft would fix it as usual and a public announcement would be made. It is imperative for both Microsoft and NGSSoftware that NGSSoftware is seen to be independent and not "in the pocket" of Microsoft. Since working with Microsoft we have been publicly credited in many Microsoft Bulletins - here's the list for 2006 alone:
http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx http://www.microsoft.com/technet/security/bulletin/ms06-mar.mspx http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx The bottom line is that Oracle really is just more buggy. Cheers, David