A day in the life of an Oracle Applications Consultant


Wednesday, October 18, 2006

Oracle Releases Eighth Critical Patch Update

Oracle DBA’s and Sysadmin’s: You’ve got a “friend” in Oracle’s October 2006 Critical Patch Update (CPUOct2006).

Winter Spring Summer or Fall,
All you have to do is call,
And I’ll be there yeah yeah yeah.
You’ve got a friend.
- James Taylor

Just like the lyrics in the famous James Taylor song, Oracle came calling again (yeah, Yeah, YEAH!) with its Fall Quarterly Update.  If, by chance, you don’t have any friends, at least you’ll have job security.  And if you’re an Oracle DBA or system administrator you probably don’t have time for socializing anyway, especially if you’re responsible for identifying, testing, and implementing the 101 patches identified in CPU #8.

But this time our jobs should be a little easier, as Oracle has included additional notes which include an executive summary that provides a summary of the vulnerabilities addressed with the latest patches. A rating system based on the Common Vulnerability Scoring System (CVSS) has also been incorporated into the risk matrix.  Although the risk matrix is nothing new to the CPU’s, MetaLink Note 394486.1 will help you understand the new format of the matrix.  I believe the new format will help facilitate an easier “yes/no” identification approach, and also help identify the resources and effort required to implement each of the patches.

For e-Business customers, there are 13 vulnerabilities identified in Appendix D.  According to the Oracle Global Product Security Blog, the patches are cumulative for all products except for the e-Business Suite.  If you’ve lagged behind in applying all the quarterly updates, you will need to do a gap analysis on previous CPU’s issued for the e-Business Suite to ensure you are compliant.  CPU’s for the technology stack components, however, should be cumulative, which means you can simply apply the latest CPU patches specified to ensure you are compliant.

I’ve got an out of the box 11.5.10CU2 environment I’ll be installing soon, so to identify all the patches required to ensure compliance, I’ll start by reviewing MetaLink Note 391564.1.  I’ll post my gap analysis in a future post.

I’d be interested in hearing how well others have been keeping up with the quarterly updates, and strategies for identifying patches to apply.  Do you apply all patches applicable to your environment?  Is there a change management process you follow?  What is your strategy for regression testing and production migration?  Post a comment to let us know your thoughts on dealing with these quarterly updates.