Some thoughts on the April CPU

Ok, so everyone and their granny knows that the latest and greatest Critical Patch Update has appeared. But there are a couple of things that might be missed.

First, I took out a documentation bug, bug number 6764071, on the last CPU. This was because Oracle stated at one point users in a RAC system could access the system while the post-install procedures were being executed, but the post-install instructions state quite clearly that you need a startup upgrade even in a RAC environment – hence no access to the system. I’ve already blogged about this, but a few days ago Oracle confirmed that the doc bug had been amended.

Of course Oracle make the same document bug from January in the new April CPU:

I got the feedback on the 14th, so it seems it will be included in the next CPU patch. The sentence will be changed to:
“Users can continue to access the database during the post-installation steps, except during the one-
time view recompilation.”

The second point is that the fixes introduced in the April CPU are actually included in the 10.2.0.4 patchset, metalink Note:552248.1 states the following:

1.3 Database 10.2.0.4 Patch Set

The Database 10.2.0.4 Patch Set includes the CPUApr2008 content.

I find this quite interesting on two levels, first if you need to do testing for the CPU, maybe you are as well as just doing the testing for the patchset instead, and just jumping right to 10.2.0.4 (if your apps can live with it). Secondly, is it a bit worrying that the 10.2.0.4 patchset has been available for 1 month now, but Oracle only now let on that there are these critical vulnerabilities and they have been fixed for this length of time.

Is that really good security? Yes, I know it’s all about the quarterly cycle, but is it not more important giving customers as much information as possible?

Also, it is almost like the left hand does not know what the right hand is doing, because if you look at the metalink document 10.2.0.4 Patch Set – List of Bug Fixes by Problem Type, you will see the January CPU mentioned right at the top in a section about Security Alerts Issues fixed, but there is no mention of the April CPU – but surely they must have known this when they were making the patchset!

I’m sure the instructions for the April CPU are gospel and that you will be protected if you upgrade to 10.2.0.4, but it hardly gives you a warm glow of confidence, does it now?

About these ads
Previous Post
Leave a comment

3 Comments

  1. You are referring to which database 10.2.0.4 patchset?
    Because in the 10g Release 2 (10.2.0.4) Patch Set 3 for for Linux x86, it says: Up to January 2008 CPU is included in this patch set. Not April.

    Reply
  2. jarneil

     /  April 17, 2008

    Hi Steeve,

    That is EXACTLY my point. If you read the patchset notes it mentions january. If you read the note with the April CPU, which is note 552248.1, in that note it states the april CPU IS included within the 10.2.0.4 patchset. I’m talking x86-64, but this obviously applies to the x86 patchset as well.

    Does that make sense? The notes for the patchset are not consistent with the note with the April CPU.

    Reply
  1. Log Buffer #93: a Carnival of the Vanities for DBAs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 48 other followers

%d bloggers like this: