I know next to nothing about SQL Server, but as an Oracle guy, I have to speak up in support of stored procedures.

One big one is that you need DBA privileges to manage them.

If that is really the case, it is an SQL Server oddity. Oracle lets everyone create and manage his own stored procedures.

Another is that updating them and backing them up is typically more complex than the basic source control steps used for perl code.

When you back up your database, that backup includes stored procedures. You can update them very easily using the DB SQL client. Of course, you want to put them into source control. You can use the same source control system you use for your Perl code.

The biggest one for me is that things which are not pure SQL -- i.e. procedural stuff in the programming language supported by the database -- is usually done in some crippled language without modern constructs or solid debugging tools like Perl's.

Well, those languages are domain languages, and are mainly intended to query the database, which they can do much more elegantly than more general languages (including Perl). Also, some DBMS have plugins that let you write stored procedures in Perl (not sure if that is a good idea, though).

There is a performance advantage to them when they involve examining a large number of rows that are not actually needed in the end result, but this is not that common a situation.

There are also the performance advantages of not having to parse and prepare the SQL every time (that will be done only once, and not just once per connection, which is the best you can do from the outside), of using native database datatypes, and of reduced network traffic.

And then we have: easier transaction management in Perl (just keep AutoCommit on, one transaction can always be a single statement), shorter, simpler code (Perl just needs to call stored procedures, which is simple with our excellent DBI, the stored procedures themselves are usually more concise than their Perl counterparts), accessibilty of the code from other programming environments, the ability to fix code and to see dependencies in one place (rather than everywhere on your server farm) and data validation right in the database.

Forgive the rant, but I am a hopeless PL/SQL fan boy, and try to keep my programs completely free of any SQL (for the same reasons that I keep them free of HTML). It is all about separation of concerns and using the right tool for the job.

I know next to nothing about SQL Server

I've never used SQL Server. My comments refer to Oracle.

Oracle lets everyone create and manage his own stored procedures.

Only if you have DBAs who are happy to grant that privilege. None of the ones I've worked with were.

When you back up your database, that backup includes stored procedures. You can update them very easily using the DB SQL client. Of course, you want to put them into source control. You can use the same source control system you use for your Perl code.

No special procedure is required to make perl code live in a typical environment. For stored procs, you have to connect to the database and install the new version. It's not horrible, but it is more work than file-based stuff. And it adds to versioning problems between code and database. A good automated code deploy tool could probably fix this issue, but most places don't have one.

There are also the performance advantages of not having to parse and prepare the SQL every time (that will be done only once, and not just once per connection, which is the best you can do from the outside), of using native database datatypes, and of reduced network traffic.

With Oracle, when you use placeholders correctly, statements are parsed and then kept in the cache. Sending the request again doesn't require it be parsed again. The network stuff is a savings if you need to examine lots of rows but won't actually be needing them in your final results, as I mentioned. Otherwise, it's negligible.

accessibilty of the code from other programming environments

That's the big argument in favor of stored procs, and the only one that I actually buy. I don't think PL/SQL is an adequate language for this kind of development though.

Forgive the rant

Ditto! We disagree about most of this, but some of that is surely due to different database policies at our places of work.

try to keep my programs completely free of any SQL (for the same reasons that I keep them free of HTML)

There are some nice modules for keeping your SQL statements in a separate file. That's a nice way to do it for people like me who want to avoid stored procs.

As a former DBA, not wanting to use stored procedures sounds to me as someone coming perlmonks asking how to do "X", without using modules. And the reason "my DBA doesn't give me permission" is similar as "I don't want to use Perl modules because the sysadmin doesn't let me install any".

I'm a great fan of stored procedures, and IMO, no application should ever touch a table directly. Not even with a select. Stored procedures should act as an extra abstraction level. Besides from the reasons given by other people, it gives database people the opportunity to re-organize the data layout (add/delete columns, split tables) without having to modify an unknown number of programs - all that's needed is to change the relevant stored procedures. Granted, probably less important for a database that's the backend for a short-lived website, but very important for databases that will last for decades, with a myriad of applications running against it. If there's any intention your database is going to last for a while, in an environment that might change don't use any SQL code in your applications (except for calling stored procedures). Ever.

If your DBA doesn't give you permission, you have a problem. But not a problem different than your sysadmin not giving you permission to write files either. Would you accept the latter, and search for a way to get programs on the system (perhaps by typing them in on the command line each time you want to run them)? Or would you make it so that you get access? Assuming your application is important for someone, go and get the access you need! Talk to your manager.

Sure, you might need to have DBA (or DBO == database owner) privileges to manage stored procedures, but that's actually a good thing - there should be some control on what SQL is run against a server, but source control is simply done the same way as with any other language - store source files in CVS (or perforce, or...), and load the source files to production systems in a controled manner (just as you'd move perl code into production in a controled manner).

In terms of performance, my tests on Sybase show that stored procedures called as RPCs give the best performance because you don't have no SQL parsing overhead, and you usually don't have the query plan generation overhead either.

I agree that doing procedural processing in SQL is bad, but if you can perform your requests as set operations then you're ahead.

In addition, for Sybase at least it is important to keep transactions short, and wrapping them in a stored procedure is one way of achieving that.

Michael

Good point, Sybase has different behavior with regard to performance of SQL parsing. Oracle doesn't get an advantage from stored procs because it caches the parsed statements already, but most people seem to use stored procs excusively with Sybase.