[ISN] Oracle announces quarterly patching schedule

InfoSec News isn at c4i.org
Fri Nov 19 06:02:13 EST 2004 

http://www.nwfusion.com/news/2004/1118orpatch.html

By Ellen Messmer
Network World Fusion
11/18/04

Oracle plans to begin issuing cumulative software patches for Oracle 
Database, E-Business Suite, Application Server, Oracle Enterprise 
Manager and Collaboration Suite on a quarterly basis beginning Jan. 
18. 

Oracle's three other scheduled patch-release dates in 2005 are April 
12, July 12 and Oct. 18. Oracle's chief security officer, Mary Ann 
Davidson, said the quarterly software patch releases will address any 
needed security fixes as well as general non-security-related changes 
in Oracle products. The planned quarterly software releases, which 
Oracle is calling "Critical Patch Updates," are intended to make it 
easier for Oracle customers to handle the software-maintenance 
process. 

Patching typically requires shutting down servers and other systems to 
install new software code, a process that Oracle customers may be 
especially reluctant to do during certain business periods, such as 
when they're closing their books at the end of a financial quarter, 
Davidson said. 

Oracle for the first time in its history selected four specific days 
it intends to release cumulative patches for its products to help 
customers plan ahead and keep the disruption caused by patching to a 
minimum. 

However, Davidson noted that Oracle would make an exception to its 
quarterly update schedule in the event that the software company had 
to issue a "high-severity security alert" due to a vulnerability 
discovered in any Oracle product, particularly if an exploit for it 
were known to be in the wild. 

For this kind of "one-off patch," said Davidson, "We don't want our 
customers to wait for months."

In general, though, if customers decide they don't want to apply any 
software patches issued Jan. 18, for whatever reason, they can wait 
until the next scheduled update, which would come April 12. 

At that time, any software changes issued in the January patch would 
also be included in the April patch. Davidson said the fixed schedule 
will help Oracle produce a single, well-integrated and well-tested 
patch.

More information about the ISN mailing list