Tell me more ×
Database Administrators Stack Exchange is a question and answer site for database professionals who wish to improve their database skills and learn from others in the community. It's 100% free, no registration required.
up vote 9 down vote favorite
2

I know stored procedures are more efficient through the execution path (than the inline sql in applications). However, when pressed, I'm not super knowlegeable about why.

I'd like to know the technical reasoning for this (in a way that I can explain it to someone later).

Can anyone help me formulate a good answer?

share|improve this question
1  
possible duplicate of stackoverflow.com/questions/757193/… – Kin Jun 14 at 15:01
1  
refer to codinghorror.com/blog/2005/05/… – Kin Jun 14 at 15:02
7  
Definitely a duplicate of the question on SO, but all the answers there are heavily programmer-centric. I'd like to see a DBA-centric answer here, as there are many aspects of stored procedures that aren't covered very well (or at all) in the top answers in that question. (Also, I couldn't find a duplicate on this site.) – Jon Seigel Jun 14 at 15:09
@JonSeigel my bad .. Aaron pointed out that we cannot mark as duplicate when it is on stackoverflow site. – Kin Jun 14 at 15:13
Hard to explain why when the statement is false, you know. And was false for like the last 18 years. – TomTom Jun 14 at 15:34
show 6 more comments

1 Answer

up vote 17 down vote

I believe this sentiment was true at one point, but not in current versions of SQL Server. The whole problem was that in the old days ad hoc SQL statements could not be properly optimized because SQL Server could only optimize / compile at the batch level. Now we have statement-level optimization, so a properly parameterized query coming from an application can take advantage of the same execution plan as that query embedded in a stored procedure.

I still prefer stored procedures from the DBA side for the following reasons (and several of them can have a huge impact on performance):

  • If I have multiple apps that re-use the same queries, a stored procedure encapsulates that logic, rather than littering the same ad hoc query multiple times in different codebases. Applications that re-use the same queries can also be subject to plan cache bloat, unless they are copied verbatim. Even differences in case and white space can lead to multiple versions of the same plan being stored (wasteful).
  • I can inspect and troubleshoot what a query is doing without having access to the application source code.
  • I can also control (and know in advance) what queries the application can run, what tables it can access and in what context, etc. If the developers are writing queries ad-hoc in their application, they're either going to have to come tug my shirt sleeve every time they need access to a table that I didn't know about or couldn't predict, or if I'm less responsible/enthused and/or security-conscious, I'm just going to promote that user to dbo so they stop bugging me. Typically this is done when the developers outnumber the DBAs or the DBAs are stubborn. That last point is our bad, and we need to be better about providing the queries that you need.
  • On a related note, a set of stored procedures is a very easy way to inventory exactly what queries may be running on my system. As soon as an application is allowed to bypass procedures and submit its own ad-hoc queries, in order to find them, I have to run a trace that covers an entire business cycle, or parse through all of the application code (again, that I might not have access to) to find anything that looks like a query. Being able to see the list of stored procedures (and grep a single source, sys.sql_modules, for references to specific objects) makes everyone's lives much easier.
  • I can go to much greater lengths to prevent SQL injection; even if I take input and execute it with dynamic SQL, I can control a lot of what is allowed to happen. I have no control over what a developer is doing when constructing inline SQL statements.
  • I can optimize the query (or queries) without having access to application source code, the ability to make changes, the knowledge of the application language to do so effectively, the authority (never mind the hassle) to re-compile and re-deploy the app, etc. This is particularly problematic if the app is distributed.
  • I can force certain set options within the stored procedure to avoid individual queries from being subject to some of the Slow in the application, fast in SSMS? problems.
  • I can control things like data types and how parameters are used, unlike certain ORMs - some earlier versions of things like EF would parameterize a query based on the length of a parameter, so if I had a parameter N'Smith' and another N'Johnson' I would get two different versions of the plan. They've fixed this. They've fixed this but what else is still broken?
  • I can do things that ORMs and other "helpful" frameworks and libraries are not yet able to support.

That all said, this question is likely to stir up more religious arguments than technical debate. If we see that happening we'll probably shut it down.

share|improve this answer
1  
@TomTom, I would definitely add that access control management can be simpler with a stored procedure, since you only need to give EXECUTE (modulo issues with cross-database chaining) compared to every possible permission on each table or whatever used in the inline code. This is not security in and of itself, but it is an aspect of that, because difficulty in managing security often leads to breakdowns in security. – Cade Roux Jun 14 at 17:13
1  
And related to access control, the general lower surface area gives a better defined interface to the database, making it easier to inventory what is exposed and what may be required to be changed in any particular proposed system change. – Cade Roux Jun 14 at 17:15
1  
@TomTom No, eliminate unnecessary profanity. If you can't make your point without swearing then your point gets removed, sorry. You'll notice I offered that you resubmit your comment without the unnecessary profanity; I have no interest in suppressing your version of the truth, I just have interest in keeping the discussion civil and mature. – Aaron Bertrand Jun 14 at 18:23
1  
@TimG to be fair, we are on dba.stackexchange.com - and as Jon pointed out in the comments, there are plenty of programming-focused posts on this over at SO, and he said I'd like to see a DBA-centric answer here. – Aaron Bertrand Jun 14 at 18:32
1  
Yeah, I mean if combined between the two questions we can present all the facts, that's enough. Is there a right answer? I don't know. Personally, I think it depends on the situation. This may be a case where the value of the answers outweighs rigidly applying the scope of the site -- it's hard to argue that this information is valuable to the community, and on-topic. IMO. – Jon Seigel 2 days ago
show 14 more comments

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.