Microsoft Introduced AI Integrations for SQL Server.
You know how you put “https://” at the beginning of web site addresses, and your browser can magically talk to all kinds of web servers, all over the world?
Well, the Model Context Protocol (MCP) is a standard for AI stuff to talk to other things. It’s like http for AI.
It’s less than a year old, but there are already tons of MCP APIs for stuff like sending emails, manipulating data in Excel, placing Facebook ads, scraping web sites, managing Kubernetes clusters, you name it. It’s very rapidly becoming the way for developers to interact with services. And whaddya know, Microsoft introduced an MSSQL MCP Server preview!
- Introducing MSSQL MCP Server
- An example storyline showing how it works
- The code on Github (click on the language of your choice to see the documentation for it)
- Oliver Flindall’s improvements for DBAs and his Github repo for the code (he added health checks with sp_Blitz, sp_PressureDetector, wait stats analysis, Agent job health, and much more)
- MCP service to analyze T-SQL for design, naming, and performance issues – hat tip to Erik Ejlskov Jenson for this
When a developer builds MCP into a tool, it lets users (and DBAs) chat with AI and:
- Create, list, and drop tables
- Query, insert, and update data
- Create indexes
So you could literally chat with ChatGPT or Claude and say things like:
- “Create a reporting table to summarize sales by year, product, and salesperson”
- “Give me salaries for everyone in the company, ordered by salary descending”
- “Update all salaries to give them a 10% raise”
- “Drop all tables with names similar to audit or tracking”
Now, I know you, dear reader. You manage databases, so you’ve got a master’s degree in paranoia. When you read the above words, your knee jerk reaction was to say, “Hell no, not in my house!” and run to the network admins asking them to block the above URLs.
I had the complete opposite reaction: I was excited, especially when I saw how Oliver’s using it. Seriously, you should go read his post.
To me, the MCP Server is no different than any other application that talks to SQL Server. It’s gonna need a login to talk to SQL Server, and it’s up to us to define the security for that login. If we do something dumb like give it the ability to create tables, drop them, create indexes, and change data, well then, we deserve what we get – just like we deserve what we get if we give ANY application the ability to do that stuff.
You should be familiar with these database roles:
- db_datareader – can read from all user tables and views
- db_datawriter – can insert, update, delete in any user table
- db_denydatawriter – can’t insert, update, or delete anywhere in the database
- db_denydatareader – can’t read anywhere in the database
In a perfect world, you’d give each login fine-grained permissions so that they can only access the specific objects agreed upon in advance. For example, you might only grant read access to particular tables, or even only grant access to read via specific views or stored procedures.
But at absolute bare minimum, I’d expect you to leverage the four above roles, and not grant the ability to be a database owner, or create/drop objects on the fly in most databases. A production application shouldn’t own databases, and should only need to select/insert/update/delete from tables. If an application really needs to create and drop tables, that activity should be confined to a separate playground database.
So before you have a knee-jerk reaction to ban MCP services in your environment, take a deep breath, and do a security review of your existing application logins. Odds are, the existing logins already have too much permissions. I’m not asking you to lock those down – I’m just asking you to learn more about database-level roles so that when the executives tell you that you will be setting up a login for MCP, at least you’ll be better equipped to give it the right permissions.
19 Comments. Leave new
“You manage databases, so you’ve got a master’s degree in paranoia.”
I did not expect to be called out like that :))
Excellent point, Brent. And that applies to anything regarding AI and any sort of app/system access. It’s another system or app asking for access to something that, hopefully, is properly controlled. So long as MSFT doesn’t do something incredibly stupid like bake in direct access to SQL with “God” powers then DBA’s and SysAdmins as gatekeepers should be able to control things. And my paranoia is just fine, thank you …
Reminds me of the old IT joke about the first voice activated DOS command processor. The inventor, being really excited about his new application took his development box to a demonstration where he announced it to a doubting crowd. When asked for questions, the first one was “Format C: ?” to which the inventor replied “Yes”. The demonstration and his work were finished…
Hopefully, I’m not the only one to appreciate the irony of an article touting the effectiveness of AI and the AI generated meme at the beginning of the article where the AI misspelled the word “Pathetic”. 😉
Why do I now have images of getting digitized and forced to compete in games for the amusement of the MCP? Hopefully no one has created a program named Sark yet…
Gosh I would really like to have access to the tools Oliver demonstrated, but after how badly developed and supported nearly every MS product has been the last 5-6 years I doubt this will be available in a stable/usable form for at least 3 years.
Hey, but at least we have javascript and react in Windows codebase now!
Easy on the snark there buddy – everything’s open source, linked to in the above text.
I’m not a true DBA, but my spidersense is tingling here.
While AI can be very powerful, uncle Ben said “With great power comes great responsibility”
I can’t se a non db savvy person having the conversation outlined in the blog(“Agents at Work”), too much implied knowledge for that being a real scenario or maybe I’m just old and conservative.
There is also an MCP Server to help you avoid bad practices and anti patterns: https://devblogs.microsoft.com/azure-sql/sql-analysis-dotnet-tool/#vs-code-mcp-server-(preview)
That is amazing! I’m going to add that to the body of the post. Thanks sir!
Awesome ?
We need one that will adopt the your DEATH approach to indexing.
This is just text-to-SQL with GenAI. Nothing new.
The way you *access* it has changed – MCP democratizes the interface. Not everybody reads TDS streams, chief.
Any idea why it doesn’t support ChatGPT yet?
Not sure what you mean – you can call ChatGPT models hosted at Azure with it?
What makes that AI?
I don’t think I understand the question – can you phrase it a little more completely? I’m not sure what “that” is referring to here.