Re: its easier to rant to get quoted than it is to do some research (Oracle Patching)
- From: Paul Drake <bdbafh@xxxxxxxxx>
- To: Niall Litchfield <niall.litchfield@xxxxxxxxx>
- Date: Wed, 25 Jan 2006 17:54:50 -0500
On 1/25/06, Niall Litchfield <niall.litchfield@xxxxxxxxx> wrote:
>
> On 1/25/06, Paul Drake <bdbafh@xxxxxxxxx> wrote:
> >
> > I tend to agree with this gentleman:
> > "At least with a quarterly process you know when the next release is
> > coming and you can schedule the deployment work well ahead of time," Nirnay
> > Patil, DBA for Boston-based wireless communications provider American Tower
> > Corp., said at the time. "You can work out the manpower issues and all that.
> > And when the patches come out, there's time to test things more carefully."
> >
> >
> I tend not to. At least I agree that patching things once a quarter is not
> unreasonable, I can't believe that patching things several years after they
> are reported is sensible. Then there are the changing advisories and
> checksums. Sadly I suspect that Oracle will get security between 3 and 6
> months after oracle databases are widely penetrated. Given that my id, my
> benefits, my employment details etc depend on Oracle databases this scares
> me silly.
>
> The 3 -6 months by the way is the timescale where the supplier blames the
> customers for not applying all of the 344 one off patches after testing them
> first.
>
>
> --
> Niall Litchfield
> Oracle DBA
> http://www.niall.litchfield.dial.pipex.com
Niall,
What I should have typed was - I do not want to have to apply one-off
patchsets across servers distributed around the globe every week with no
advanced notice. I am not supporting the lag in the turn-around time of the
fixes that Alex describes. I am simply advocating that it is difficult to
obtain maintenance windows for production systems, particularly near closing
periods. I prefer to not apply patches if such patches are not required. I
would prefer to apply regression-tested patchsets, such as 10.1.0.5. Of
course that is not the reality we deal with, when one-off patches are
available to remedy critical vulnerabilities.
Oracle's boilerplate disclaimer on one-off patches used to read something
along the lines of " ... you must have located this patch off of an exact
bug number ... this is not regression tested ..."
Backing out one-off patches on 8.1.7.4 was not really an option - re-install
was the supported path.
I can recall 8.1.7.4.6 breaking utl_smtp (utl_tcp) functionality on win32,
requiring the 8.1.7.4.17 patch (officially) or borrowing a few files from a
healthy home as a work-around. I don't like "one-off patch land". I don't
like "loss of functionality land" due to bugs in new code.
So my real point is in patching vulnerabilities, rather, critical issues (in
bulk) as quickly as possible with ideally a less than 3 months turn around
time from Oracle. I think that is what David Litchfield was after when he
blasted Oracle after the CPUOct2005 mess.
Ok - its nearly 6 pm, time for my maintenance window for patching.
Paul
Other related posts:
