RE: applying security patches

All three of those are issues that any shop is going to deal with migrating any type of change through the life-cycle. Or at least, any shop that follows any type of developmental standards. *grin*

Our problem with the security patches are not the users, but the DBAs
(and I am one of them). We have to choose between a critical bug fix or
a patched security hole, because invariably a Security CPU is not compatible with a bug fix, and it takes months for Oracle DEV to merge them, at which point, another CPU comes out.

Sounds like Oracle DEV is facing the same issues that your users are
(too busy to test all changes).

Call me cynical (or call me realistic).

-charles schultz

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Joe Armstrong-Champ Sent: Wednesday, August 02, 2006 3:00 PM To: ORACLE-L
Subject: applying security patches

Does anyone ever get any problems from users who don't want to apply the cpu patches? For example, we have users who don't want to apply them because:

1. the test system is different from the prod system (application-wise, not system-wise) 2. testers are busy on other things and can't take time to test the security changes 3. the prod system is in the middle of a critical process and no changes can be made for some time period sometimes up to 4 weeks.

Issue #1 concerns me and leads to the question of what type of testing do people require before installing the patch in prod.

I don't have a lot of sympathy for #2 since the patches are security related and have big implications if not applied.

Number 3 is also valid. Not sure what to do about this.

Comments appreciated.

Joe

--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l