Oracle Patch Day Becoming Irrelevant

mocirac wak writes "Oracle's scheduled quarterly patch day is becoming more and more irrelevant. Oracle critical patches announced in the April 2006 CPU are still not available for download and the ETA is now set for May 15. The whole idea of a patch day was to let DBAs get prepared for testing and deployment. What's the use of having a patch day when there are no patches to download?" From the article: "... Oracle's explanation that patch testing is not yet done points to serious shortcomings and an absence of a good patch development process. 'For such a big organization with a lot of financial resources, they should be ready to handle this without problems. But they are amateurs on everything security related,' Cerrudo said. 'They spend a lot of time creating these patches. Then, patch day comes around and the patches aren't available. Then, when the patches are finally released, it's normal to find that they are incomplete and fail to address the actual vulnerability,' he added."

Re:You don't need to patch!

[fm2503]

Have you seen Oracle's security record recently?
Anyone who reads bugtraq or the like will know it is shocking.
Take a look at http://www.securityfocus.com/archive/1/432399 [securityfocus.com] this for an example

Abhorent lack of focus

[Anonymous Coward]

Though their database is their flagship product, they have been way too distracted with their substandard Oracle Applications suite. If they really want to do well, they should focus on what they do best and stop wasting their time trying to push poorly written web applications. (I should know, I have to use their worthless timecard and expense system every week.)

Its called customer service....

[zappepcs]

When you have to pay as much as you need to to run oracle, patches released in a timely manner that actually fix things is part of customer service. If there is no customer service, there is soon no customers. The OSS database engines are gaining ground, and personally, I like the way patches and fixes are released thus far for F/OSS .... I'm seeing fewer and fewer reasons to pay for big software packages like Oracle, MS, etc.

ROI is important, and bad patch schedules and releases is not good ROI...

Sad state of Software Devlopment in general....

[bodland]

Basically...this is not uncommon across the software industry.

Most of the companies are not mature and entrenched with bureocracy. Staff probably turns over twice a year now when a decade ago devoted "well paid" developers worked long hours to make sure a patch or update was ready for release.

Now from my perspective, as a DBA responsible for installing and overseeing the installation of software patches on database and application servers, I can't really say this is happening any longer.

I don't simply patch Oracle becasue they say it's "critical". Updates and patching is only done if needed to keep the applcation going and to keep users working. If the risk of not patching comes into play then we patch.

Unfortunately for us, many software makers they have discovered the joys of consulting fees to bolster fading profit and market share, rather than actually delivering quality service and product to existing customers.

Particulary in smaller software makers. Selling the sizzle and delivering the bacon later is all too common now. And many times you end up with something much less than "bacon".

Anyone who works with canned apps in a large heterogenous IS environment knows what I am talking about.

And "we" the customers are partly to blame for allowing software makers to have thier way with us. I for one refuse to "pay" to vendors develop working patches for their software...there are a thousand and one ways for software vendors to take advantage of clients. It is up to the IT professionals to hold them to contracts and simple concepts like the delivery of software, updates and patches that actually work as claimed.

So it is up to us to demand full documentation, and READ IT. Test the systems completely and be more "critical" of the vendors claims...if you have to be hard ass to do so...so be it.

Re:limited set unavailable?

[grassy_knoll]

Agreed. When I saw this story, I figured I'd missed something, since my 9i DBs have had the patch since release.

Metalink note 360465.1 has a table of patch levels required for database versions and patch release dates by OS. For 9.2.0.6, 9.2.0.7, 10.2.0.1 it looks like patches are available, and 10.2.0.2 is only awaiting the patch for the HP Itanium platform ( expected today... I'm sure both sites who use Oracle on HP Itanium will be happy ).

There is some delay in other oracle versions on other platforms. If you're using 8.1.7.4, you're boned... although since IIRC all support for that version ends at the end of this year, I'd hope there's a migration in your future anyway.

For versions 10.1.0.3 and 10.1.0.4 it's a little odd... for some OSs there are patches available ( Tru-64, Linux, UNIX, et. al. ) but there's a wait for the windows versions. In 10.1.0.3s case some platforms must upgrade to 10.1.0.4 or 10.1.0.5, then apply patches for those levels.

So in short, if you're running the latest version of Oracle 9i or 10g on Windows, proprietary UNIX or Linux, there are patches available.