Many still holding off on Oracle database CPUs

Remember a month or so ago, when we asked whether Oracle’s critical patch updates (CPU) were all that critical?

The answer from many (outside of Oracle) was no. In fact, many DBAs considered it too much trouble. Responses ranged from “security ‘experts’ drumming up business through paranoia” to questions about when 11g will be hotpatchable as promised. Some even said, “we believe these patches ARE critical.”

Well, according to a release of the latest survey of the Independent Oracle Users Group (downloadable as a .pdf), many others are holding off on those patches. Now, the survey was co-sponsored by Oracle and we tend to take results from vendor-sponsored studies with a grain of salt, but it does offer some interesting insights. Of the 150 survey respondents, only 26% said CPUs were applied systematically across the entire environment when they’re released by Oracle. Another 19% reported that their organizations do not have any specific requirements for the application of vendor supplied security patches. In fact, 36% require some sort of justification for security patches and favor a risk analysis over a cost/benefit analysis.

The results came as little surprise to Pete Finnigan and he addressed them over on his Oracle security weblog.

He writes:

I always say two things. 1) CPU’s are only part of the problem of securing an Oracle database – that is to be secure you cannot just apply a CPU, you must do all of the other work to secure the database, configuration, privileges, access, audit…. much, much more and 2) at the end of the day; taking out all of the issues, you can either apply a CPU or not, its simple. Well its simple to say but in practice, psycologically, reallity[sic], its often hard to do for lots of reasons, mostly availability, performance, downtime, stability.

Certainly, database security remains a critical topic for organizations. According to a new database security report from Forrester Research (available free with registration), database attacks are at an all-time high. My colleague Shayna Garlick sat down for a podcast with Forrester’s Noel Yuhanna to discuss the results of his research. While Yuhanna asserts that Oracle has the most comprehensive database security, he also advises companies look to independent security providers. After all, most organizations are not Oracle only, they run heterogeneous shops.

So, while Oracle certainly seems to be paying attention to database security, it seems not everyone is listening. What does Oracle need to do to convince you to apply CPUs? Release them more often? Less often? Or are you content to parse through the relevant information to determine for yourself what’s “critical” and what can wait? Are your internal corporate processes adequate for the job?