Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: its easier to rant to get quoted than it is to do some research (Oracle Patching)

Re: its easier to rant to get quoted than it is to do some research (Oracle Patching)

From: Paul Drake <>
Date: Wed, 25 Jan 2006 17:54:50 -0500
Message-ID: <>

On 1/25/06, Niall Litchfield <> wrote:
> On 1/25/06, Paul Drake <> wrote:
> >
> > I tend to agree with this gentleman:
> > "At least with a quarterly process you know when the next release is
> > coming and you can schedule the deployment work well ahead of time," Nirnay
> > Patil, DBA for Boston-based wireless communications provider American Tower
> > Corp., said at the time. "You can work out the manpower issues and all that.
> > And when the patches come out, there's time to test things more carefully."
> >
> >
> I tend not to. At least I agree that patching things once a quarter is not
> unreasonable, I can't believe that patching things several years after they
> are reported is sensible. Then there are the changing advisories and
> checksums. Sadly I suspect that Oracle will get security between 3 and 6
> months after oracle databases are widely penetrated. Given that my id, my
> benefits, my employment details etc depend on Oracle databases this scares
> me silly.
> The 3 -6 months by the way is the timescale where the supplier blames the
> customers for not applying all of the 344 one off patches after testing them
> first.
> --
> Niall Litchfield
> Oracle DBA


What I should have typed was - I do not want to have to apply one-off patchsets across servers distributed around the globe every week with no advanced notice. I am not supporting the lag in the turn-around time of the fixes that Alex describes. I am simply advocating that it is difficult to obtain maintenance windows for production systems, particularly near closing periods. I prefer to not apply patches if such patches are not required. I would prefer to apply regression-tested patchsets, such as Of course that is not the reality we deal with, when one-off patches are available to remedy critical vulnerabilities.

Oracle's boilerplate disclaimer on one-off patches used to read something along the lines of " ... you must have located this patch off of an exact bug number ... this is not regression tested ..."

Backing out one-off patches on was not really an option - re-install was the supported path.

I can recall breaking utl_smtp (utl_tcp) functionality on win32, requiring the patch (officially) or borrowing a few files from a healthy home as a work-around. I don't like "one-off patch land". I don't like "loss of functionality land" due to bugs in new code.

So my real point is in patching vulnerabilities, rather, critical issues (in bulk) as quickly as possible with ideally a less than 3 months turn around time from Oracle. I think that is what David Litchfield was after when he blasted Oracle after the CPUOct2005 mess.

Ok - its nearly 6 pm, time for my maintenance window for patching.


Received on Wed Jan 25 2006 - 16:54:50 CST

Original text of this message