Home | Login      
Oracle Users Struggle With Patch Management
In the most recent copy of DB Tools for Oracle SoftTree introduced a new patch management system – DB Patch Expert.


DB Patch Expert provides a tool for DBAs to keep pace with Oracle’s frenetic pace. The database giant issued 41 security patches for its products in January, and another 43 in April. As our customers prepare for another round of quarterly patches, we ask this question: How many of these patches have your organization deployed this year?


If you answered "none," you're not alone. According to a study published in February by the Independent Oracle Users Group (IOUG), nearly half of all Oracle users are at least two or more patch cycles -- that's six to nine months -- behind in their database patching. Eight percent are four or more cycles (more than a year) behind, and 11 percent have never applied one of Oracle's Critical Patch Updates.


An informal survey of SoftTree customers earlier this year gives us cause to question the accuracy of the IOUG study. It’s our belief that 50% of Oracle customers lagging 6 to 9 months in patch levels paint a very rosy picture. In our admittedly unscientific informal poll, we found that only 1 in 10 of our Oracle users had installed the most recent Oracle patch update. Perhaps more alarming, more than half of the respondents indicated they had never applied a Oracle patch update.


While some experts claim this is a “non-issue”, most agree that many database administrators are slow to roll out new patches. Why? Many of them are concerned that the patches might slow performance or cause disconnects between business applications and the databases that serve them.


"The requirement for extensively testing patches across complex and large production environments [is] a primary difficulty [in] timely application of Critical Patch Updates," the IOUG study says. "While the application of the patches may take a few hours, the actual testing of the patches before their application in production systems may take months in some organizations." 


We concur with this assessment. Most SoftTree customers apply patches without any cycles. Patching is typically driven by factors such as a necessity to fix a critical bug that is affecting business application, etc... Applying patches is widely considered to be an expensive and somewhat risky operation. Testing a server patch requires a separate test system, with the same configuration as the production system - including the database server and a complete stack of production applications.

Not testing a patch before deployment to a production server caries significant risk of braking existing production applications - as a byproduct of a patch introducing a backward compatibility issue or behavioral change. The process is also expensive because installing service packs and other large scale patches requires significant downtime, sometime hours of downtime - that is not an option in 24x7x365 shops. In such environments the use of clusters and failover systems is an architectural requirement to facilitate the serial installation of patches on the various nodes in the cluster. Again, this affects the overall system cost; in this economy only the largest organizations can afford such systems.


To its credit, Oracle has responded to this dilemma with “My Oracle Support.” Yet there are drawbacks.


  1. Oracle collectors are required to be installed and running. Collectors are typically preinstalled with most recent Oracle versions (10.2 and 11 and some app. and business servers in case users got Enterprise edition of Oracle products, but not always running for various reasons.
  2. Users need to have latest versions of Oracle products, if they run older versions, they are out of luck, no collectors are available for these versions.
  3. Users need to have a paid MetaLink support account in order for collectors to be tied to Oracle patching system or to run interactive reporting and to download patches - in a large organization only a few of senior DBAs have access to of such account(s)
  4. My Oracle Support is limited to supporting Oracle products only. SoftTree’s DB Audit Expert is popular because most organizations have instances of multiple database vendor platforms.  


DB Patch Expert was designed to overcome the limitations inherent in My Oracle Support.


  1. It doesn't require collectors.  It can perform on the fly patch/version analysis. However, the trade off is because there are no collectors, DB Patch Expert doesn't have access to historical system changes.
  2. The SoftTree system supports all database versions supported by DB Audit software (except DB2 mainframe systems), including old Oracle versions - starting with 7.3
  3. DB Patch Expert is not limited to a single database type, as such not limited to a use by a single DBA group. It can be used by IT managers (including CIOs, CSOs, etc...) to assess and track overall organization status and security/compliance,
  4. Additionally, DB Audit hooks to USA government supported vulnerability databases and classifies database patches based on the vulnerabilities scores published in these databases.



Share this blog topic
Add to Digg it   Add to Twitter   Add to StumbleUpon   Add to Del.Icio.us   Add to Facebook   Add to Technorati   Add to Reddit   Add to YahooMyWeb   Add to Google bookmarks


This blog article does not have any comments.

  This blog article is locked. New comments are not accepted.