Category Archives: Stored Procedures

Using Table Value Functions to Replace ‘Get’ Stored Procedures?

I learnt so many useful techniques, tricks and pointers at this SQLBits conference in York: tally tables, common table expressions (CTEs), cross applies, query tuning techniques, parallelism, data visualisation, to name but a few. However, the most useful technique I learnt was divulged in the first couple of hours during the training session given by Rob Farley.

In amongst the banter, jokes and excursions, a la Geordie comedian Ross Noble, was a complete gem which will make a huge difference to our existing and future projects.

Put simply, never use stored procedures for simple retrieves, but replace these with Inline Table-Value Functions (TVF).

Given our love of stored procedures, this is a difficult pill to swallow at first, but the benefit can be seen through the following example…

Suppose we have written a stored procedure that returns a dataset to the business layer of the application. In our case, we will have delivered the dataset via a WCF service.

Our stored procedure might be something like:
CREATE PROCEDURE dbo.usp_MyTable_Get (@FilterParms…)
SELECT T.Column1, T.Column2, T.Column3, LT.Column2, …
FROM dbo.MyTable AS T
INNER JOIN dbo.MyLookupTable AS LT ON LT.IDCol = T.Column4
WHERE T.ColumnN = @FilterParm1


Now suppose that the application development team ask for an additional column to be included in the returned dataset. This may be because the dataset returns a foreign key identifier and the developers need to see the lookup description in the returned dataset. To return the lookup value we need to include an additional join on the lookup table.

Before going ahead, we’d confirm that the developer hasn’t or can’t get the lookup description from content held in memory; we’d explain that we’ll need to create a new stored procedure just for this situation, or, we’ll need to include it in the existing one which will (unnecessarily) adversely impact performance for instances where the service is used but the additional column is not required.

We have seen this situation many times and it is frustrating that an optimum one-size-fits-all solution hasn’t presented itself – until now…

The solution is to replace the stored procedure with an inline TVF which includes every possible join for foreign key lookups and every possible output column, and then build up SQL SELECTs on this TVF with the required columns relevant to each individual situation, letting the Query Optimizer exclude joined tables where necessary.
So, the above stored procedure is replaced with:

WCF Service
public List GetMyTable(dtoRequiredColumns, dtoParameters, dtoFilter)
List dtoOut = new List()
string strSQL = ""

foreach (col in dtoRequiredColumns)
if (col.IsRequired) strSQL += ", " + col.Name

strSQL = "SELECT" + strSQL.Substring(2) + " FROM dbo.tvfMyTableGet"

// add any WHERE and ORDER BY clause

SqlDataAdapter SqlDataAdapter = new SqlDataAdapter(strSQL, SQLConnection)
DataTable dtResult = new DataTable()

foreach (DataRow drRow in dtResult.Rows)
// add row to dtoOut


return dtoOut

and the TVF definition is something like the following:

SELECT T.every column…,

FROM dbo.MyTable AS T
INNER JOIN dbo.MyLookupTable1 AS LT1
ON LT1.IDColumn = T.ForeignKeyID1
INNER JOIN dbo.MyLookupTable2 AS LT2
ON LT1.IDColumn = T.ForeignKeyID2
INNER JOIN dbo.MyLookupTable3 AS LT3
ON LT1.IDColumn = T.ForeignKeyID3

So the function includes every column in MyTable, and is joined to every table that provides a lookup for foreign keys.

And here’s the clever thing, at run-time the optimizer looks at which columns are included in the SELECTed column list and excludes those JOINs on tables that are not required for that particular query. In addition, query plans are cached (however, note that different length string parameters will generate additional cached plans).

The objections might go something like – underlying data is made more secure by placing these behind a stored procedure ‘firewall’. Of course, just as with stored procedures, we can grant execute permission to the function and not the underlying tables or views. And, this looks like dynamic SQL, which is bad! But, we are not allowing any injection to take place here – the listed columns are defined within the dtoRequiredColumns object and full control of the ‘dynamic SQL’ is maintained.

Here at last is the one-size-fits-all solution, so thanks go to Rob Farley for this.

Read more from Rob Farley’s Blog here .


T-SQL Stored Procedures – who needs them?

The answer to this question may seem obvious – for a secure, well-performing application, of course we all need them!

But what about all those great legacy applications that are littered with embedded SQL? What if we are asked to bring these into the brave new world of rich interfaces and mobile apps (plus those still glued to your traditional PC)? I have seen plenty of applications with MSAccess and MySQL back-ends. When scaling these up, do we really have to create a plethora of stored procedures when all that embedded SQL blinks winningly up at us to be used as-is? This question can be equally posed for a new application, where developers with SQL experience but lacking the know-how to use stored procedures, gamely rush into creating the SQL while coding. And what about dynamic SQL? How do we deal with that?

OK, so let’s rewind… we know that stored procedures bring enormous benefits:

  1. Increased performance – the SQL is pre-compiled, unlike embedded or dynamic SQL
  2. More secure – execute access given to the stored procedures only – direct access to tables and views are denied.
  3. Better separation – the database access is contained within one layer, rather than scattered throughout the application UI code.
  4. Easier maintenance – wholesale change is easier to apply to a number of stored procedures rather than searching through reams of application code.
  5. Easier performance tuning – with the separation described above, it is easier to examine the performance of a stored procedure in isolation from UI code and fine-tune it as necessary.
  6. Easier testing – stored procedures expose an additional area of testing thereby catching bugs in a more timely manner.

And the drawbacks?

The main drawback is the increased development time and the increased skill required to build the queries (but is this a bad thing for your important application?).

As for dynamic SQL – there certainly are situations where we may want this, e.g. building a complex filter from the UI, which don’t fit the pattern of simple parameters for stored procedures.  But we can still ensure the database access is encapsulated within the stored procedure by parsing strings or using data (e.g. in table variables) and I would argue this is best practice.

So it looks like we should always aim to build our data access layer using stored procedures. But what about those drawbacks?

OK, it’s time to get real – stored procedures are not complicated – In fact they are just the same as your embedded SQL but embedded in a server-side procedure instead. That means there’s more code to write. In fact quite a lot more code as we can add auditing, error handling and security checking, amongst other very useful things. And we need a version for each CRUD action.

But, after having written many stored procedures it becomes apparent that there is an enormous amount of repetition. In fact stored procedures settle into a very definite and predictable pattern which is pretty irritating if you have to code them individually from scratch, so much so that you’d think you were missing a trick. And you would be, because let’s face it, you can generate the procedures directly from the underlying data model (i.e. the table definitions and the relationships).

In fact there is often code to generate dynamic SQL from the underlying schema within applications. The leap is to change this dynamic code such that it generates the stored procedures as part of the overall development process.

Future reading:

The stored procedure CRUD pattern laid bare (Coming Soon!)

Other (more) entertaining musings on generating stored procedures