Re: Patch Question
Date: Sat, 07 Jun 2008 21:31:41 -0500
Message-ID: <OuH2k.4595$uE5.4105@flpi144.ffdc.sbc.com>
joel garry wrote:
> On Jun 6, 1:17 pm, Mtek <m..._at_mtekusa.com> wrote:
>> On Jun 6, 3:08 pm, "fitzjarr..._at_cox.net" <orat..._at_msn.com> wrote: >> >> >> >> >> >>> On Jun 6, 2:57 pm, Mtek <m..._at_mtekusa.com> wrote: >>>> Hi, >>>> We want to apply some Oracle. We have not done this in nearly 9 >>>> months or so. Anyhow, here is our environment: >>>> Oracle 10.2.0.1.0 >>>> Linux Red Hat Enterprise x86-64 >>>> It returned 64 patched. None were recommended...... >>>> So, does that mean that we really do not need to install any??? >>>> Thank you! >>>> John >>> I know of at least ONE patchset you should be applying, and that is >>> 10.2.0.3 (or, 10.2.0.4 if it's been released for RHEL). >>> David Fitzjarrell >> Why not apply all the 64 patches for 10.2.0.1, or is the idea is to >> move to 10.2.0.3 to upgrade the version.....
>
> The patches are cumulative. In general, you want to be on or testing
> the latest patch set. It is not considered an upgrade because...
> well, that is explained in the docs that come with or can be obtained
> separately from the patch. You should read them!
>
> "Patch sets are a mechanism for delivering fully tested and integrated
> product fixes. Patch sets provide bug fixes only; they do not include
> new functionality and they do not require certification on the target
> system.
>
> Patch sets include all of the libraries that have been rebuilt to
> implement the bug fixes in the set. All of the fixes in the patch set
> have been tested and are certified to work with each other. Because
> the patch set includes only low impact patches, it does not require
> you to certify applications or tools against the server."
>
> But you should be interested in the bugs that are fixed.
>
> Some patch sets do contain backported new functionality, regardless of
> the boilerplate. Of course, the distinction between bug and doing it
> different may be blurry.
>
> jg
> --
> @home.com is bogus.
> http://securitylabs.websense.com/content/Alerts/3096.aspx
I would modify this slightly from:
"Patch sets provide bug fixes only; they do not include new
functionality and they do not require certification on the target system."
To:
"Patch sets generally provide bug fixes; they do not always include new
functionality and they may not or may not require certification on the
target system."
Oracle does occasionally sneak in new functionality - like starting with 1Q2008 CPU patch, they started including SCM - the "phone-home" software linked with Metalink. It is not configured, but it is installed. Also, the way the patch sets installed started using "molecules" Major Patch# with many sub-patches - requiring a new version of OPatch to be installed in order to execute it.
They also changed executable permissions on UNIX servers starting with 9.2.0.7. They did provide a changePerm.sh script to set them to "wide-open", but this is a case of a major change that affected a lot of systems due to previously poorly designed security.
Personally, I miss the security mechanisms found in the formerly DEC/COMPAQ now HP OpenVMS. It was light years ahead of the Unix model. And the cluster technology actually worked :) Received on Sat Jun 07 2008 - 21:31:41 CDT