Ok, so everyone and their granny knows that the latest and greatest Critical Patch Update has appeared. But there are a couple of things that might be missed.
First, I took out a documentation bug, bug number 6764071, on the last CPU. This was because Oracle stated at one point users in a RAC system could access the system while the post-install procedures were being executed, but the post-install instructions state quite clearly that you need a startup upgrade even in a RAC environment – hence no access to the system. I’ve already blogged about this, but a few days ago Oracle confirmed that the doc bug had been amended.
Of course Oracle make the same document bug from January in the new April CPU:
I got the feedback on the 14th, so it seems it will be included in the next CPU patch. The sentence will be changed to:
“Users can continue to access the database during the post-installation steps, except during the one-
time view recompilation.”
The second point is that the fixes introduced in the April CPU are actually included in the 10.2.0.4 patchset, metalink Note:552248.1 states the following:
1.3 Database 10.2.0.4 Patch Set
The Database 10.2.0.4 Patch Set includes the CPUApr2008 content.
I find this quite interesting on two levels, first if you need to do testing for the CPU, maybe you are as well as just doing the testing for the patchset instead, and just jumping right to 10.2.0.4 (if your apps can live with it). Secondly, is it a bit worrying that the 10.2.0.4 patchset has been available for 1 month now, but Oracle only now let on that there are these critical vulnerabilities and they have been fixed for this length of time.
Is that really good security? Yes, I know it’s all about the quarterly cycle, but is it not more important giving customers as much information as possible?
Also, it is almost like the left hand does not know what the right hand is doing, because if you look at the metalink document 10.2.0.4 Patch Set – List of Bug Fixes by Problem Type, you will see the January CPU mentioned right at the top in a section about Security Alerts Issues fixed, but there is no mention of the April CPU – but surely they must have known this when they were making the patchset!
I’m sure the instructions for the April CPU are gospel and that you will be protected if you upgrade to 10.2.0.4, but it hardly gives you a warm glow of confidence, does it now?