| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: its easier to rant to get quoted than it is to do some research (Oracle Patching)
On 1/25/06, Niall Litchfield <niall.litchfield_at_gmail.com> wrote:
>
> On 1/25/06, Paul Drake <bdbafh_at_gmail.com> wrote:
> >
> > I tend to agree with this gentleman:
> > "At least with a quarterly process you know when the next release is
> > coming and you can schedule the deployment work well ahead of time," Nirnay
> > Patil, DBA for Boston-based wireless communications provider American Tower
> > Corp., said at the time. "You can work out the manpower issues and all that.
> > And when the patches come out, there's time to test things more carefully."
> >
> >
> I tend not to. At least I agree that patching things once a quarter is not
> unreasonable, I can't believe that patching things several years after they
> are reported is sensible. Then there are the changing advisories and
> checksums. Sadly I suspect that Oracle will get security between 3 and 6
> months after oracle databases are widely penetrated. Given that my id, my
> benefits, my employment details etc depend on Oracle databases this scares
> me silly.
>
> The 3 -6 months by the way is the timescale where the supplier blames the
> customers for not applying all of the 344 one off patches after testing them
> first.
>
>
> --
> Niall Litchfield
> Oracle DBA
> http://www.niall.litchfield.dial.pipex.com
Niall,
What I should have typed was - I do not want to have to apply one-off patchsets across servers distributed around the globe every week with no advanced notice. I am not supporting the lag in the turn-around time of the fixes that Alex describes. I am simply advocating that it is difficult to obtain maintenance windows for production systems, particularly near closing periods. I prefer to not apply patches if such patches are not required. I would prefer to apply regression-tested patchsets, such as 10.1.0.5. Of course that is not the reality we deal with, when one-off patches are available to remedy critical vulnerabilities.
Oracle's boilerplate disclaimer on one-off patches used to read something along the lines of " ... you must have located this patch off of an exact bug number ... this is not regression tested ..."
Backing out one-off patches on 8.1.7.4 was not really an option - re-install was the supported path.
I can recall 8.1.7.4.6 breaking utl_smtp (utl_tcp) functionality on win32, requiring the 8.1.7.4.17 patch (officially) or borrowing a few files from a healthy home as a work-around. I don't like "one-off patch land". I don't like "loss of functionality land" due to bugs in new code.
So my real point is in patching vulnerabilities, rather, critical issues (in bulk) as quickly as possible with ideally a less than 3 months turn around time from Oracle. I think that is what David Litchfield was after when he blasted Oracle after the CPUOct2005 mess.
Ok - its nearly 6 pm, time for my maintenance window for patching.
Paul
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Jan 25 2006 - 16:54:50 CST
 |
 |