Jan 16: CPUs again ...

I'm pleased to see a few posts debating the (non)-application of quarterly Critical Patch Updates. Here are a few examples ...

Is Poor Security Hygiene Rampant?
Do DBAs care about Oracle’s latest Critical Patch Update?
Survey finds that 66% of Oracle users never install critical patches

All of which seem to have been kicked off by Pete Finnigan's blog about the survey. Pete talks a lot of sense in that blog and I agree that :-
"the issue has become psycological, a lot of companies beleive its difficult, that it will fail and that everything in the organisation needs to be regerssion tested."

I've talked about this subject recently and all the evidence I've seen supports the survey, although I'd venture the percentage of sites claiming to apply CPUs is higher in the survey! However, as I said in that series, my argument was never about what was right or wrong, but the reality I've experienced. Personally, I feel that sites should apply security updates and invest whatever is required (predominantly in man-power and a commitment to maintenance outages) to do the job. That's why I'm very pleased that my current site is grasping the CPU bull by the horns and, having encouraged the business to upgrade to 9.2.0.8, is pretty close to having the Oct 2007 CPU fully implemented.

Next up will be the Jan 2008 CPU. It's a never-ending story, after all, but I'm sure we'll get better.

 

Posted by Doug Burns Comments: (6) Trackbacks: (0)
Defined tags for this entry:
Related entries by tags:
The Reality Gap (1) - Software Maintenance

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 - Paul Vallee said:
2008-01-16 23:26 - (Reply)

If it was Sal, I sent him your way.

Cheers

Paul

#2 - Paul Vallee said:
2008-01-17 00:28 - (Reply)

I must have Sal on the brain - I meant Jai. Duh.

Paul

#3 - Doug Burns said:
2008-01-17 07:17 - (Reply)

Yes, that was the one ...

#4 - Paul Vallee said:
2008-01-17 13:31 - (Reply)

Jai's blog today: http://blogs.computerworld.com/dbas_not_to_blame_for_oracle_patch_application_failures

Paul

#5 - Neil Campbell 2008-01-18 03:30 - (Reply)

It's an interesting point Doug. From my experience, I have seen the following types of situations

1. Those sites that only adopt CPU's because of a wider (company or enterprise) security / auditing initiative. (eg pre ISO 9000 or whatever the number is )

2. Sites that regularly adopt the CPU's tend to do so with a 6 month lag, almost in the same way as sites waiting for the "first patchset" to be release following a new release (i.e 11g).

3. Depending on the level of pragmatism within the organization, and whether there is a culture of co-operation between, say, development, testing production support teams will often determine how much resistance is applied to prevent the application of the CPU.

I also notice that the same amount of resistance doesn't seem to apply when it comes to Microsoft Service Packs ?

Neil

#6 - Doug Burns said:
2008-01-19 23:16 - (Reply)

Neil,

I think I'm seeing more examples of your point 1) above. As people slowly catch up with their regulatory requirements, I think people will start applying new versions and patches more regularly. It's just taking time.

You're right about Microsoft fixes, too. My current site is a long-term mainframe user and I think you'd find the approach in that environment is very different, with IT applying what needs to be applied without getting caught up in extended debates with the business about whether we're allowed to apply patches or not.

I think as patches are applied more often, there will be resulting problems, but avoiding all change in the hope of avoiding problems is a non-starter.


Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
BBCode format allowed