Today, the Independent Oracle User Group released the results of a survey conducted of members about their processes for applying Critical Patch Updates. These patches are Oracle’s method to fix any security holes in the software. Others have described in depth the methodology and the findings, so I will include those links at the end. As for what this means to me, it very much fits into how I have been looking at CPU’s since Oracle started releasing them.
Before I talk about my opinions, I need to have a little disclosure. I am a member of the Independent Oracle User Group and was involved in promoting the survey. The comments included in this blog are my opinions and are not a reflection of other members of IOUG. Hopefully that will protect me if I tick someone off!
The CPU process is relatively simple to apply. Shutdown the databases that are running using the affected Oracle software installation, run the patch process, restart the database, and run the .sql script that is delivered. This patch process has been around for a long time for “one-off” patches and the Security team in Oracle has made it relatively fool-proof.
So why, as the survey finds, do people not install these as regularly as Oracle would like? I believe there are a couple reasons and these are somewhat reflected by the answers to the survey. First, everyone is busy keeping their environments running and implementing new projects. Most people are attempting to accomplish more within their organizations with less resources and it is difficult to find the time to perform the patching. Second, Oracle tells us that these patches have been through numerous tests, and I believe they have. Up to this point, however, people have been instructed to test, test, and test again. It is difficult to get through a full test cycle on the patches within the three months between the patch cycles. Finally, when technologists (a fancy word for those of us that are in charge of the patching) approach management about needing down time to apply the patches, management wants to know why and what are they gaining. For the most part, plugging security holes is not high on a manager’s priority list when there is a backlog of projects that need to be implemented.
How do we as technologists work through the listed challenges? I think the most important thing is to make sure you are educated. This can be done by reading Oracle’s readme files and any documentation about Critical Patch Updates. Also, conferences, such as Collaborate 09 have many sessions presented by users and by Oracle regarding the CPU process and security in general. Another point to work on is convincing management that these patches are important and have relatively low risk. We still need to run some testing, but most people will not be required to complete a full blown regression test.
Check out the survey and read what others are saying. The survey can be found here:
Two other blogs can be found at the following. I will also update as any other news or commentary is posted.