On 1/25/06, Niall Litchfield <niall.litchfield@xxxxxxxxx> wrote: > > On 1/25/06, Paul Drake <bdbafh@xxxxxxxxx> wrote: > > > > I tend to agree with this gentleman: > > "At least with a quarterly process you know when the next release is > > coming and you can schedule the deployment work well ahead of time," Nirnay > > Patil, DBA for Boston-based wireless communications provider American Tower > > Corp., said at the time. "You can work out the manpower issues and all that. > > And when the patches come out, there's time to test things more carefully." > > > > > I tend not to. At least I agree that patching things once a quarter is not > unreasonable, I can't believe that patching things several years after they > are reported is sensible. Then there are the changing advisories and > checksums. Sadly I suspect that Oracle will get security between 3 and 6 > months after oracle databases are widely penetrated. Given that my id, my > benefits, my employment details etc depend on Oracle databases this scares > me silly. > > The 3 -6 months by the way is the timescale where the supplier blames the > customers for not applying all of the 344 one off patches after testing them > first. > > > -- > Niall Litchfield > Oracle DBA > http://www.niall.litchfield.dial.pipex.com Niall, What I should have typed was - I do not want to have to apply one-off patchsets across servers distributed around the globe every week with no advanced notice. I am not supporting the lag in the turn-around time of the fixes that Alex describes. I am simply advocating that it is difficult to obtain maintenance windows for production systems, particularly near closing periods. I prefer to not apply patches if such patches are not required. I would prefer to apply regression-tested patchsets, such as 10.1.0.5. Of course that is not the reality we deal with, when one-off patches are available to remedy critical vulnerabilities. Oracle's boilerplate disclaimer on one-off patches used to read something along the lines of " ... you must have located this patch off of an exact bug number ... this is not regression tested ..." Backing out one-off patches on 8.1.7.4 was not really an option - re-install was the supported path. I can recall 8.1.7.4.6 breaking utl_smtp (utl_tcp) functionality on win32, requiring the 8.1.7.4.17 patch (officially) or borrowing a few files from a healthy home as a work-around. I don't like "one-off patch land". I don't like "loss of functionality land" due to bugs in new code. So my real point is in patching vulnerabilities, rather, critical issues (in bulk) as quickly as possible with ideally a less than 3 months turn around time from Oracle. I think that is what David Litchfield was after when he blasted Oracle after the CPUOct2005 mess. Ok - its nearly 6 pm, time for my maintenance window for patching. Paul