Some thoughts on the April CPU

Ok, so everyone and their granny knows that the latest and greatest Critical Patch Update has appeared. But there are a couple of things that might be missed.

First, I took out a documentation bug, bug number 6764071, on the last CPU. This was because Oracle stated at one point users in a RAC system could access the system while the post-install procedures were being executed, but the post-install instructions state quite clearly that you need a startup upgrade even in a RAC environment – hence no access to the system. I’ve already blogged about this, but a few days ago Oracle confirmed that the doc bug had been amended.

Of course Oracle make the same document bug from January in the new April CPU:

I got the feedback on the 14th, so it seems it will be included in the next CPU patch. The sentence will be changed to:
“Users can continue to access the database during the post-installation steps, except during the one-
time view recompilation.”

The second point is that the fixes introduced in the April CPU are actually included in the patchset, metalink Note:552248.1 states the following:

1.3 Database Patch Set

The Database Patch Set includes the CPUApr2008 content.

I find this quite interesting on two levels, first if you need to do testing for the CPU, maybe you are as well as just doing the testing for the patchset instead, and just jumping right to (if your apps can live with it). Secondly, is it a bit worrying that the patchset has been available for 1 month now, but Oracle only now let on that there are these critical vulnerabilities and they have been fixed for this length of time.

Is that really good security? Yes, I know it’s all about the quarterly cycle, but is it not more important giving customers as much information as possible?

Also, it is almost like the left hand does not know what the right hand is doing, because if you look at the metalink document Patch Set – List of Bug Fixes by Problem Type, you will see the January CPU mentioned right at the top in a section about Security Alerts Issues fixed, but there is no mention of the April CPU – but surely they must have known this when they were making the patchset!

I’m sure the instructions for the April CPU are gospel and that you will be protected if you upgrade to, but it hardly gives you a warm glow of confidence, does it now?


3 thoughts on “Some thoughts on the April CPU

  1. You are referring to which database patchset?
    Because in the 10g Release 2 ( Patch Set 3 for for Linux x86, it says: Up to January 2008 CPU is included in this patch set. Not April.

  2. Hi Steeve,

    That is EXACTLY my point. If you read the patchset notes it mentions january. If you read the note with the April CPU, which is note 552248.1, in that note it states the april CPU IS included within the patchset. I’m talking x86-64, but this obviously applies to the x86 patchset as well.

    Does that make sense? The notes for the patchset are not consistent with the note with the April CPU.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s