Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: applying security patches

Re: applying security patches

From: Paul Drake <>
Date: Wed, 2 Aug 2006 16:17:29 -0400
Message-ID: <>

On 8/2/06, Schultz, Charles <> wrote:
> All three of those are issues that any shop is going to deal with
> migrating any type of change through the life-cycle. Or at least, any
> shop that follows any type of developmental standards. *grin*
> Our problem with the security patches are not the users, but the DBAs
> (and I am one of them). We have to choose between a critical bug fix or
> a patched security hole, because invariably a Security CPU is not
> compatible with a bug fix, and it takes months for Oracle DEV to merge
> them, at which point, another CPU comes out.
> Sounds like Oracle DEV is facing the same issues that your users are
> (too busy to test all changes).
> Call me cynical (or call me realistic).
> -charles schultz
> -----Original Message-----
> From:
> [] On Behalf Of Joe Armstrong-Champ
> Sent: Wednesday, August 02, 2006 3:00 PM
> Subject: applying security patches
> Does anyone ever get any problems from users who don't want to apply the
> cpu patches? For example, we have users who don't want to apply them
> because:
> 1. the test system is different from the prod system (application-wise,
> not system-wise) 2. testers are busy on other things and can't take time
> to test the security changes 3. the prod system is in the middle of a
> critical process and no changes can be made for some time period
> sometimes up to 4 weeks.
> Issue #1 concerns me and leads to the question of what type of testing
> do people require before installing the patch in prod.
> I don't have a lot of sympathy for #2 since the patches are security
> related and have big implications if not applied.
> Number 3 is also valid. Not sure what to do about this.
> Comments appreciated.
> Joe

Sounds like a paradox:

The more important the system and its data are the more there is to be lost due to compromise of the system, yet the less tolerated downtime will be to apply a patchset.

(the less likely that the dba will be to be able to get in their mileage on the bike that week)

This is where CSOs are useful to trump application owners and application users.
I'd consult sites such as SANS, where they already assume that EVERYONE has already applied the patches after 7 days. Right.


Received on Wed Aug 02 2006 - 15:17:29 CDT

Original text of this message