Posted by: Shayna Garlick
Oracle applications, Oracle database administration, Oracle development
But just how massive — and critical — are these patches, really?
It’s a question that’s been asked before but certainly deserves to be asked again, especially as Oracle continues to grow, acquire more companies and products, and in turn, find more security vulnerabilities
This Critical Patch Update has 41 security fixes. These include fixes for vulnerabilities in products ranging from Oracle 9i to Oracle 11g, including the former BEA WebLogic Server and Portal, Oracle E-Business Suite, Oracle Application Server and JD Edwards Tools. Oracle also recently had a problem with its Cluster Ready Services, spurred by a change in the world’s time standard to adjust for the slowing of the earth’s rotation.
This “Patch Tuesday whopper,” however, seems relatively modest compared to previous patches, such as the 101 fixes in October 2006, and definitely equivalent to recent updates like the 36 fixes just three months ago.
With all these patches also comes the question: Should you apply them?
According to Oracle, yes. In its prerelease announcement to customers this month, “Oracle strongly recommends that customers apply fixes as soon as possible.”
But many DBAs and Oracle experts think differently. When we asked the question last year to see just how much DBAs really care about Oracle’s latest Critical Patch Update, many responses were consistent with a survey that found two-thirds of Oracle users never install the critical patches.
One concern is that while these patches are meant to fix problems, they can also cause some of their own. Oracle expert Don Burleson addressed this just a couple of months ago, when an Oracle user asked him for advice on when and how to apply Oracle Critical Patch Updates.
“You DON’T have to apply patches, and sometimes patches can CAUSE unplanned issues. The best practices are always to conduct a full stress in a TEST environment before applying the patches in production… I wait for major releases and re-install at-once, and I only look at patches to fix specific issues.”
What’s your approach with Oracle’s patch updates? Are they worth the time and effort? Have your experiences with these patches changed at all in the last year, or are they still the bane of your existence?