ansaurus

Question

Stored procedure SQL SELECT statement issue

Answer 1

+1 A:

The traditional method is safer, because the query is parsed when you save it. The query in the 'exec' method is not parsed and can contain errors.

Prutswonder 2010-07-15 10:41:29

Thank you! 1. Error you mean what, can you show me a sample? 2. Do you have any more document to make a reference, I want to learn more about your points like this -- "The traditional method is safer, because the query is parsed when you save it.".

George2 2010-07-15 10:43:13

3. "parsed when you save it" -- parse you mean when save store procedure? So, parsed before actually run the sql statement?

George2 2010-07-15 10:43:57

No, it is checked for validity by SQL Server. Just like the 'check query' button in your editor. And I didn't get it from a book, but from experience.

Prutswonder 2010-07-15 10:54:26

When sql is executed, the sql query engine must create a query plan,which is the order in which tables will be accessed and what indexes to use. When you save a stored procedure, the sql is verified for syntax, parsed, and a query plan is generated and cached. Performance is generally better because with dynamic sql, the query plan cannot be cached. I only use dynamic sql in limited cases such as having many optional search criteria or if i have to do cross database calls dynamically (I know its horrible...don't ask!)

Jeremy 2010-07-15 11:01:42

Hi Jeremy, do you have any document which proves traditional method is of better performance because of query plan caching? I want to learn in more details. :-)

George2 2010-07-15 11:09:46

@Jeremy, "When you save a stored procedure, the sql is verified for syntax, parsed, and a query plan is generated and cached" - I don;t agree with you on this... its compiled on first run not when it saved

Sandy 2010-07-15 11:10:19

@Sandy...you're right. http://msdn.microsoft.com/en-us/library/aa174792(SQL.80).aspx states it is compiled at execution time. also, this link (http://msdn.microsoft.com/en-us/library/ms188001.aspx) states that using sp_executesql will generate a query plan and reuse the query plan on susequent executions. I would say that the "traditional method" is still preferable due to the fact that you can check the sql syntax at compile time and not run time.

Jeremy 2010-07-15 13:24:58

Answer 2

+2 A:

FYI: it’s not a new method, it is known as Dynamic SQL.

Dynamic SQL are preferred when we need to set or concatenate certain values into sql statements.

Traditional or normal way sql statements are recommended, because stored procedures are complied. Complied on first run "Stored Procedure are Compiled on First Run" , execution plan of statements are being created at the time of compilation.

Dynamic sqls are ignored while creating execution plans, because it is taken as string (VARCHAR or NVARCHAR as declared).

Refer following articles for more details about dynamic query and stored procs
Introduction to Dynamic SQL Part 1
Introduction to Dynamic SQL Part 2
Everything you wanted to know about Stored Procedures

Sandy 2010-07-15 11:08:29

You mean in my scenario, (1) no query plan is created for the selecgt statement? (2) Or query plan is created, but not cached?

George2 2010-07-15 11:10:52

"no query plan is created for the select statement"Read the mentioned article "Intro to Dynamic SQL Part 1".. scroll down and you will see this paragraph "The downside of this method is twofold. Firstly, and most importantly, your stored procedure can not cache the execution plan for this dynamic query. So, for complex queries you will lose a the performance boost that you usually gain with stored procedures."

Sandy 2010-07-15 11:15:32

you have to put some effort to learn new things :p

Sandy 2010-07-15 11:17:41

Thanks, question answered!

George2 2010-07-15 11:21:58

Answer 3

A:

The "new" way, as mentioned, has nothing to do with SQL 2008. EXEC has been available for quite some time. It's also - in most cases - a Very Bad Idea.

You lose parameterization - meaning you are now vulnerable to SQL Injection. It's ugly and error-prone. It's less efficient. And it creates a new execution scope - meaning it can't share variables, temp tables, etc. - from it's calling stored proc.

sp_executesql is another (and preferred) method of executing dynamic SQL. It's what your client apps use, and it supports parameters - which fixes the most glaring problem of EXEC. However, it too has very limited use cases within a stored proc. About the only redeeming use is when you need a dynamic table or column name. T-SQL does not support a variable for that - so you need to use sp_executesql. The number of times you need or should be doing that are very low.

Bottom line - you'd be best off forgetting you ever heard of it.

Mark Brackett 2010-07-15 11:38:33

ansaurus

tags:

views:

answers:

Stored procedure SQL SELECT statement issue

related questions