A schema change on SQL Server feels safe right up until one of them takes a schema-modification lock on your busiest table and every query behind it stops. The change itself is often trivial. A new column, a wider data type, one more index. What bites is how SQL Server executes it: how long it holds locks, whether the operation can run online, and whether the migration is something you can review and repeat instead of typing into a production window at 2am.
This guide covers how to manage SQL Server schema migrations once you're on real production data. Two ways to structure changes, the SQL Server behaviors that decide whether a migration is online or blocking, and how to put all of it into a pipeline so the same script runs the same way in every environment.
If you're here for one specific change, start with the table.
| You want to | The safe way on SQL Server | Section |
|---|---|---|
| Add a column | Nullable, or NOT NULL with a constant default on Enterprise (metadata-only) | Online, not blocking |
| Widen a type | varchar(100) to varchar(200) is metadata-only; narrowing scans the table | Expand and contract |
| Rename a column | Never sp_rename in place; use expand-and-contract | Expand and contract |
| Backfill a big table | Batches of ~5,000 rows to stay under lock escalation | Backfill in batches |
| Rebuild a large index | ONLINE = ON, RESUMABLE = ON with WAIT_AT_LOW_PRIORITY (Enterprise/Azure SQL) | Online, not blocking |
State-based versus migration-based
There are two ways to define a schema change, and the choice shapes everything downstream. SQL Server is unusual here. In the Postgres and MySQL worlds nearly everyone uses ordered migration scripts, but SQL Server has a large, well-tooled state-based camp built around SSDT and DACPACs, so this is a live debate on SQL Server in a way it isn't elsewhere.
State-based (also called declarative) means you describe the schema you want and let a tool work out the difference. SQL Server Data Tools (SSDT) is the canonical example: your .sqlproj holds the desired definition, you build a DACPAC, and SqlPackage.exe /Action:Publish compares it to the target and generates the diff at deploy time. Redgate SQL Compare works the same way.
Migration-based (imperative) means you write each change as an ordered T-SQL script. The first migration creates a table, the fifth adds a column, the twelfth backfills it. Flyway, Liquibase, DbUp, EF Core migrations, and Bytebase all follow this model. The database tracks which scripts have run.
Here is the trade-off:
| State-based (SSDT/DACPAC) | Migration-based (ordered scripts) | |
|---|---|---|
| You author | the desired end state | each individual change |
| The exact prod SQL is | generated at deploy time | written and reviewed up front |
| Data migrations (backfills) | awkward, live in pre/post-deploy scripts | first-class, just another migration |
| Risk of surprise drops | real, the diff engine decides | none, you wrote the statement |
| Best at | keeping many environments identical | controlling what runs on production |
Use migration-based for production. The reason is simple: you want to read the exact statement that will touch your live table before it runs, not discover it in a generated plan. State-based deployment is genuinely good at keeping a fleet of databases in sync, but the diff engine can decide that the cleanest path from A to B is to drop and recreate a column, and that is a data-loss event you find out about after the fact. If you do use SSDT, know that SqlPackage blocks on possible data loss by default, and the real risk is the pressure to pass /p:BlockOnPossibleDataLoss=false to push a stuck release through. Review every generated script before it runs. That review is the part that matters, and migration-based gives it to you by default.
A versioned migration workflow
The mechanics are the same as any other database. One script per change, ordered, in version control, applied in sequence and never edited once shipped. What's SQL Server specific is how you write the script.
Make each migration idempotent so a re-run is a no-op instead of an error. SQL Server gives you cheap existence checks through the catalog views and COL_LENGTH:
-- Add a column only if it isn't already there
IF COL_LENGTH('dbo.orders', 'shipped_at') IS NULL
ALTER TABLE dbo.orders ADD shipped_at DATETIME2 NULL;
-- Create an index only if it's missing
IF NOT EXISTS (
SELECT 1 FROM sys.indexes
WHERE name = 'IX_orders_customer' AND object_id = OBJECT_ID('dbo.orders')
)
CREATE INDEX IX_orders_customer ON dbo.orders (customer_id);Now use the one feature that sets SQL Server apart from MySQL here: DDL is transactional. You can wrap several schema changes in a single transaction and roll the whole thing back if any step fails, with no half-applied migration left behind.
BEGIN TRY
BEGIN TRANSACTION;
ALTER TABLE dbo.orders
ADD status TINYINT NOT NULL
CONSTRAINT DF_orders_status DEFAULT 0;
CREATE INDEX IX_orders_status ON dbo.orders (status);
COMMIT;
END TRY
BEGIN CATCH
IF @@TRANCOUNT > 0 ROLLBACK;
THROW;
END CATCH;A caveat worth knowing: a few statements can't take part in a transaction, including some ALTER DATABASE operations and anything involving full-text indexes. For ordinary table and index DDL, the pattern above holds, and it's a real safety net MySQL users don't get.
Keep a paired rollback script for every forward migration. SQL Server's transactional DDL covers you when a migration fails mid-flight, but it does nothing for a migration that succeeded and turned out to be wrong an hour later. The rollback for a schema change is usually obvious. The rollback for a data change rarely is, which is the whole argument for keeping schema and data changes in separate, small migrations.
Make the change online, not blocking
This is where most SQL Server migrations go wrong. An ALTER TABLE or CREATE INDEX takes a schema-modification (Sch-M) lock, and Sch-M is incompatible with everything, including plain reads. A migration that runs in 50 milliseconds on your laptop can hold that lock for minutes on a table with a few hundred million rows, and for those minutes the table is frozen.
A few operations are cheap by design. Adding a nullable column is a metadata-only change and returns instantly. Adding a NOT NULL column with a constant default is also metadata-only, but only on Enterprise Edition and only since SQL Server 2012. On Standard Edition the same statement rewrites every row, takes the Sch-M lock for the whole rewrite, and that is exactly the kind of "small change" that takes prod down.
For index work, use ONLINE = ON so readers and writers keep going while the index is built:
ALTER INDEX IX_orders_customer ON dbo.orders
REBUILD WITH (ONLINE = ON, RESUMABLE = ON, MAX_DURATION = 60 MINUTES);Two things to know about that statement. Online index operations are an Enterprise Edition feature (and they're available on Azure SQL Database and Managed Instance regardless of tier). If you're on Standard, online rebuilds aren't an option, and the realistic answer is to schedule the work in a maintenance window or move the change to the expand-and-contract pattern below. The RESUMABLE = ON option, added in 2017 for rebuilds and extended in 2019, lets you pause a long index operation and resume it later instead of losing all the work, which is the difference between aborting a rebuild at minute 55 and picking it back up tomorrow.
Even an online operation needs a brief Sch-M lock at the start and end to swap the index in. On a busy table that short lock can still pile up behind a long-running query. WAIT_AT_LOW_PRIORITY keeps the migration from becoming the head of a blocking chain:
ALTER INDEX IX_orders_customer ON dbo.orders
REBUILD WITH (ONLINE = ON (WAIT_AT_LOW_PRIORITY (
MAX_DURATION = 5 MINUTES, ABORT_AFTER_WAIT = SELF
)));It waits politely for its lock, and if it can't get one within five minutes it aborts itself rather than blocking the queries behind it.
Backfill in batches
Populating a new column across a large table is a data change, and a single UPDATE over millions of rows is its own outage. SQL Server escalates row and page locks to a full table lock once a statement acquires roughly 5,000 locks on one object, so one big update locks the entire table anyway, and it generates a transaction-log entry for every row at once.
Update in bounded batches and let the log checkpoint between them:
WHILE 1 = 1
BEGIN
UPDATE TOP (5000) dbo.orders
SET region = 'UNKNOWN'
WHERE region IS NULL;
IF @@ROWCOUNT < 5000 BREAK;
WAITFOR DELAY '00:00:00.100'; -- breathe, let replicas catch up
ENDFive thousand keeps each statement under the escalation threshold. The short WAITFOR gives the log a chance to checkpoint and gives readonly replicas room to keep up instead of falling behind. Pick the batch size from your own row width and log throughput, but stay under the escalation line.
Breaking changes: expand and contract
Renaming a column, splitting one into two, or narrowing a type are breaking changes, and you can't do them in a single statement without deploying the application at the same instant. Don't try. The reason this bites harder on SQL Server than you'd expect is sp_rename. It exists, it looks like the obvious tool, and it's a trap: it renames the column but updates nothing that references it. Views, stored procedures, and functions that name the old column keep compiling and then fail at runtime, and sp_rename even returns a warning telling you to fix the references yourself. Treat in-place rename as off-limits in production.
Use expand-and-contract instead, which spreads the change across several safe migrations:
- Expand. Add the new column as nullable, which is metadata-only and instant. Widening a type the same way is also cheap: going from
varchar(100)tovarchar(200)withALTER COLUMNis metadata-only. Narrowing it or changing the type is not. That takes a Sch-M lock and scans every row, which is exactly why a narrowing belongs in this flow and not in a singleALTER. - Backfill. Populate the new column in batches, as above. When the new value is a pure function of existing columns, a
PERSISTEDcomputed column is often a cleaner bridge than a backfill, because it stays in sync with no application change:ALTER TABLE dbo.orders ADD total_with_tax AS (subtotal * 1.0825) PERSISTED. - Dual-write. Ship an application version that writes both columns. If you can't change the application in lockstep, an
AFTERtrigger can mirror writes from the old column into the new one at the database layer until the app catches up. - Switch reads. Point the application at the new column. A view or a synonym can indirect this, so the cutover is a single object change instead of a coordinated code deploy.
- Contract. Once nothing references the old column, drop it in a later migration.
Each step is independently safe and independently reversible. The whole sequence might span several deploys over a week, and that's the point: a breaking change becomes a series of non-breaking ones.
Put it in a pipeline
Once the SQL is safe, the rest is making sure it runs the same way everywhere.
Keep every migration in version control next to the application code, so a schema change goes through the same pull request and review as the feature that needs it. Add a review gate that reads the SQL before it runs and flags the dangerous patterns: an UPDATE with no WHERE, an ALTER that will rewrite a large table, an index build without ONLINE = ON, a missing rollback script. Then promote the identical scripts through dev, staging, and production. The script that passed staging is the script that runs in prod, byte for byte.
For the runner, the SQL Server ecosystem gives you a few well-worn paths. Because most SQL Server shops are also .NET shops, EF Core migrations and DbUp are the common choices, and both apply ordered scripts and record state in a history table. Flyway and Liquibase work against SQL Server too. If you went the state-based route, SqlPackage publishing a DACPAC is a first-class task in Azure DevOps and GitHub Actions, and Azure SQL Database adds its own deployment steps. Bytebase wraps the whole flow, including the review gate and multi-environment rollout, in one place. The tool matters less than the discipline: versioned scripts, an automated review, and the same artifact promoted across environments.
Where Bytebase fits
Bytebase is a database DevSecOps platform that manages SQL Server schema and data changes as a reviewed, versioned workflow. You can drive a change two ways: through the UI, where you raise the change in the console and it moves through review and approval, or through GitOps, where a SQL file merged into your Git repository triggers the same rollout. Either way the change runs through SQL Review rules that catch the blocking-operation and data-loss patterns described above before they reach production, and it rolls out across environments with an approval flow and a full audit trail. It also handles the access-control side, so the person running a production migration goes through a governed path rather than a direct admin connection.
Bytebase's SQL Review ships rules for SQL Server that flag table-rewriting ALTER statements, index builds without ONLINE = ON, and updates without a WHERE clause, catching the migrations that block production before they run.
FAQ
Is anything different on Azure SQL Database? The blocking rules are the same. Sch-M locks, lock escalation, and batched backfills all behave as described. What's better is that online and resumable index operations are available at any service tier, not just on a SQL Server Enterprise license, so you avoid the Standard Edition restriction on online index rebuilds. Deployment is also pipeline-first: there's no SQL Agent in Azure SQL Database, so migrations run from your CI/CD runner or an elastic job rather than a scheduled server-side job.
Should I use SSDT/DACPAC or migration scripts for production? Migration scripts, so you review the exact SQL that touches the live table. SSDT is excellent for keeping many environments identical, but its diff engine can generate drop-and-recreate operations that lose data. SqlPackage blocks on possible data loss by default; the trap is disabling that under deadline. Review every generated script.