Why hard to believe? SQL Server team was taken offline for more than 6 months to undertake SP3 for 2000. Then take all that learning and put it into SQL 2005. There were a ton of features that were never added or were removed from SQL2005 because I great secure solution could not be found, thats a fundamental change in approach.
One of the key new "features" of SQL 2005 was off by default, the reduction of surface area, that makes a huge difference.
I don't know if they cross referenced it with the reported usage of SQL 2005 and Oracle (and to the exact versions of Oracle that are showing the increase in security flaws).
Only then this information can actually mean something. Otherwise, it's just plain propaganda to attract attention.
Might be hard to believe, but the numbers speak for themselves. It might be there _are_ security flaws in SQL Server 2005. But if there were a large number of them, someone should've found at least some of them.
The report breaks down the vulnerabilities by version
I'm more than a little skeptical about this. It seems to me that a better, more objective measure would be based upon publicly reported security issues, fixed or not. This one explicitly excludes unfixed issues. How many issues were reported and remain unfixed?
After a couple of the large sql server security issues, Oracle's marketing department decided to start to advertise Oracle via the "Unbreakable" campaign. This had the immeadiate counter-effect of acting as a challenge to security researchers and hackers worldwide, who started to look at Oracle more closely. In addition with the 9i release Oracles started beefed up their application server, adding a number of addition points of attack, many of which have turned out to have insecure defaults or/and easily exploitable buffer overflows. At the same point MS reduced the attack surface in SQL server (with SQL 2000 SP3a), a process they fine-tuned with SQL 2005, leading to a massive reduction in their issues (i.e. ironically MS became more linux like with their secure by default process, whereas Oracle became more traditionally "Microsoft-like" by enabling lots of services that administrators weren't using, but could be exploited by hackers)