Table of contents
Introduction
I assume that you have clicked on this article / blog because you are an awesome fan of stored procedures (like me) and you cannot see these kind of loose statements. My sincere suggestion would be to read this article once, give a thought on the experiments, and then the comments section is always there to throw bricks at me.
Stored Procedures are precompiled so they are faster
Ask any one why he prefers stored procedures as compared to inline queries and most will reply back with a standard statement:
“Stored procedures are precompiled and cached so the performance is much better.”
Let me just explain the above sentence more diagrammatically. When we fire SQL for the first time, three things happen:
- The SQL syntax is checked for any errors.
- The best plan is selected to execute the SQL (choice to use clustered index, non-clustered etc.).
- Finally the SQL is executed.
The above statement states that when you run a stored procedure for the first time it will go through all the above steps and the plan will be cached in-memory. So the next time when the stored procedure is executed it just takes the plan from the cache and executes the same. This increases performance as the first two steps are completely eliminated.
The above statement also says / implies that for inline queries all the above steps are repeated again and again which brings down the performance considerably.
The above explanation was pretty valid and true for older versions of SQL Server, but from 2005 onwards, all SQL statements, irrespective of it’s a SQL coming from inline code or stored procedure or from anywhere else, they are compiled and cached.
OK, now walk your talk
Image from http://www.stegman.com/site/wp-content/uploads/2011/07/Man-walking-rope.jpg
In order prove the above point I did a couple of experiments. I wrote a simple .NET application which makes calls to SQL Server by using both methodologies, i.e., simple inline SQL and stored procedure.
Below is a simple experiment to prove the same.
We have created two scenarios: one which will run a simple inline SQL as shown below. This SQL goes and queries a simple “Users” table to check if a user exists in the database or not.
SqlCommand objCommand = new SqlCommand("Select * from Users where UserName='"
+ UserName + "' and Password='"
+ Password + "'", objConnection);
In the second scenario the same inline SQL is wrapped in a stored procedure called “sp_login
”.
SqlCommand objCommand = new SqlCommand("sp_Login", objConnection);
objCommand.Parameters.Add(new SqlParameter("UserName", UserName));
objCommand.Parameters.Add(new SqlParameter("Password", Password));
objCommand.CommandType = CommandType.StoredProcedure;
Both these SQLs are fired from the application with a profiler running in the background. We capture two events when we ran the profiler: CacheHit
and CacheInsert
. The CacheInsert
event is fired when the plan is inserted in the cache while CacheHit
is fired when the plan is used from the cache.
When we ran the experiment with the stored procedure we saw the below results. You can see in the trace below:
“CacheInsert
” first creates the plan and inserts it into the cache. Once the plan is cached the CacheHit
event occurs which means it has taken the plan from the cache rather than recreating it from scratch.
When we ran the experiment with inline SQL we saw similar kinds of results. You can see how the CacheHit
event is hit after the CacheInsert
event is fired.
Cheater, change the data?
If you see look at the previous experiment, the data is absolutely the same. The time I change the data as shown in the figure below, you can see it’s no longer using the cache, rather creating new cache entries.
Let me go ahead and tweak the ADO.NET code to support parameters as shown below.
SqlCommand objCommand = new SqlCommand(
"Select * from Users where UserName=@userName and Password=@Password", objConnection);
objCommand.Parameters.AddWithValue("@userName", UserName);
objCommand.Parameters.AddWithValue("@Password", Password);
When I capture the cache events in the profiler it is using the cache. You can see in the below figure how first the cache insert event occurs and after that it always hits the cache for the plan rather than recreating it.
Dynamic SQL and Dynamic SQL
One of the most confusing terminologies people use is Dynamic SQL. Let’s refine this word further. There are two types of dynamic SQL: one is dynamic SQL and the other is parameterized dynamic SQL.
Courtesy: Spiderman 3
Dynamic SQL is of the form as shown below (it can be more dynamic where column names are also built on the fly).
SqlCommand objCommand = new SqlCommand("Select * from Users where UserName='"
+ UserName + "' and Password='"
+ Password + "'", objConnection);
The above dynamic SQL will probably not use the plan from the cache until auto parameterization helps (http://msdn.microsoft.com/en-us/library/aa175264(v=sql.80).aspx).
If you use parameterized dynamic SQL like below, it will use the SQL plan from the cache as done by stored procedures.
SqlCommand objCommand = new SqlCommand("Select * from Users where UserName=@userName and Password=@Password", objConnection);
objCommand.Parameters.AddWithValue("@userName", UserName);
objCommand.Parameters.AddWithValue("@Password", Password);
In simple words performance of inline parameterized SQL is the same as that of Stored Procedures.
Hmm, what about network traffic?
If you have read so far you must be embarrassed, the way I was when I lost this argument. To counter protect many developers would also argue that network traffic decrease when using stored procedures is less as compared to that for inline SQL.
In simple words if we use stored procedures we just send:
Sp_login
If we use inline SQL we send the complete SQL which will increase traffic.
'Select * from Users where UserName=@UserName and Password=@Password'
Must be this is a valid point if we are having many Windows apps pounding on one SQL Server. That can lead to a lot of network traffic if there are a lot of transactions.
In case of web applications where the SQL and the ASP.NET code (in the same data center) are very much near I do not really buy this point out.
As said this is just my personal opinion.
I will still use stored procedures
At the end of the day I will still prefer stored procedures. The choice of choosing stored procedures will not be performance but it will be more from the aspect of security and maintenance. Below are some of the points where stored procedures are definitely a plus over inline SQL.
Abstraction
By putting all your SQL code into a stored procedure, your application is completely abstracted from the field names, tables names, etc. So when you make changes in the SQL, you have less impact in your C# code.
Security
This is the best part where stored procedures again score, you can assign execution rights on users and roles.
Maintenance ease
Now because we have centralized our stored procedures any issue like fixing defects and other changes can be easily done in a stored procedure and it will be reflected across the installed clients. At least we do not need to compile and deploy DLLs and EXEs.
Centralized tuning
If we know we have a slow running stored procedure, we can isolate it and the DBA guys can performance tune it separately.
Cursors, temp table complications
Simple TSQLs are OK. But what if you have a bunch of statements with IF, ELSE, Cursors, etc? For those kind of scenarios, again stored procedures are very handy.
References
For further reading do watch the below interview preparation videos and step by step video series.