I was quite surprised when a number of folks criticized the data used in the report titled "Microsoft SQL Server Runs the Security Table" from ESG - it was just CVE data!

Well, David Litchfield has done some of his own research, and created a report comparing SQL Server and Oracle.

David is no slouch, he has found security bugs in both SQL Server and Oracle. But, I'll let you draw your own conclusions.