Its worth noting that while vendors like Microsoft have attempted to make patching less complicated, Oracle has only succeeded in making it more complex over time. PSUs are clearly designed to model the Microsoft "cumulative update" strategy they have for SQL server and other products, but instead have just created yet another patching approach, requiring a new version of OPatch, and offering a whole slew of complexity. We see that more and more organizations are being forced to apply CPUs by auditors and security teams, and a couple that are making the CPU vs. PSU decision. Over time, Oracle is going to make it more and more encouraged to apply CPUs or PSUs, until at some point I wouldn't be surprised if it's near mandatory. Oracle is also using this pressure to apply the patches to encourage people to upgrade - we have a lot of customers that recently brought everything up to 9.2.0.8 or 10.2.0.4 because Oracle stopped making CPUs available for any earlier release. It's a vicious cycle - Oracle makes patching really complicated, attempts to simplify it, makes it worse, then forces people to upgrade in order to get the patches they're being told they have to apply, and then Oracle tells people they'll happily sell them a product that will help fix the thing Oracle made complicated. Thanks, Matt (Shameless plug and disclosure: My company, GridApp, of which I am one of the founders, makes a database automation software package that, among other things, supplants OEM provisioning pack for patching and provisioning, and does so quite nicely. http://www.gridapp.com/products/patching.php Back to offering legit content.) -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx on behalf of Andre van Winssen Sent: Fri 11/13/2009 3:03 AM To: oracle-l@xxxxxxxxxxxxx Subject: Latest IOUG Security Report Raises Red Flags on Database Security see http://www.oracle.com/newsletters/information-indepth/database-insider/nov-09/ioug.html?msgid=8308418&eid=3914466482&lid=1 <quote> "But there is good news, too. Moving to an automated environment addresses burgeoning security and compliance requirements while containing costs. Those companies that have employed automated security tools and approaches-which demand little or no time from administrators or other IT personnel-have been able to maintain and expand robust security practices (particularly in situations where critical data is susceptible to exposure) and achieve regulatory compliance." </quote> so this is a plee for patch automation. I still don't understand why oracle lets you pay for automating patching of THEIR own security bugs, i.e. because you would have to buy their Oracle Enterprise Manager Provisioning and Patch Automation Pack (http://www.oracle.com/technology/products/oem/pdf/provpack_db_ds.pdf<http://www.oracle.com/technology/products/oem/pdf/provpack_db_ds.pdf>) . Think about the impact of the last Oracle Critical Patch Update Advisory - October 2009 on http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html#AppendixDBwhich had 3 times Base Score *10* for the database, the most severe classification I have seen sofar. Imagine an enterprise with hunderds or thousends of databases and only a couple of tens of human dba's. My point is: oracle should provide mass patching tools for free, they owe us ! Regards, Andre