The Benefits of Database Server Patch Set Updates (PSUs)
By Eric P. Maurice on Sep 14, 2010
The Critical Patch Update program (CPU) is Oracle's primary mechanism for the release of security fixes for all Oracle products. Introduced in January 2005, Critical Patch Updates are released on dates announced a year in advance. Critical Patch Update patches correct security vulnerabilities and may, when required, include fixes that are prerequisites for the security fixes.
In July 2009, Oracle introduced a new patch offering specific to Oracle Database Server: the Patch Set Update (PSU). More recently, Patch Set Updates for Oracle Enterprise Manager 10.2.0.5 and later were introduced, but for the purpose of this blog, we will only discuss Database Server PSUs.
Patch Set Updates are available under the Critical Patch Update program, but unlike traditional CPU patches, PSUs provide a means to deliver security and non-security (i.e. critical bug fixes) fixes bundled together in a tested package. As a result, Database Server customers have a choice when each Critical Patch Update is released: they can opt to receive security fixes only (using the traditional N-apply CPU patches) or they can opt to receive a more comprehensive set of security and non-security fixes (using the Patch Set Update patches). Please note, that for each given Critical Patch Update, customers receive the same security fixes whether they choose to apply a PSU patch or a traditional N-apply CPU patch (in that sense, the traditional CPU patch contains a subset of the fixes available in the PSU patch).
Note that Patch Set Updates are available only for Oracle Database Server 10.2.0.4 and later on platforms other than Windows. Windows Database bundles do however include the same fixes as the Patch Set Updates when they are released.
The below table provides a summary comparison of the PSU patches and traditional N-apply patches available under the Critical Patch Update program.
The application of the Patch Set Update results in the introduction of a new baseline version for the Database Server with consequences in regards to how future patches will be applied on the system when a PSU has previously been installed. Once a PSU has been applied on the system, the recommended method to apply all future CPU program security content is to apply future PSUs. In other words, once a PSU has been applied, it is not recommended to switch back to traditional N-apply patches. While such a switch is possible with assistance from Oracle technical support, it is a complex procedure and therefore is not recommended. However, if previously only traditional N-apply CPU patches have been applied, customers can elect to apply the most current Patch Set Update at any time.
The primary benefit of the Patch Set Updates to customers is that they can receive, in a streamlined fashion, many recommended patches needed to keep their environment secure and operating at top efficiency. This is because the non-security fixes included in each Patch Set Update are designed to address issues related to system or instance-wide outages, severe functionality issues, etc. Non-security fixes that would require application or configuration changes, cause optimizer plan changes or dictionary changes, or contain architectural changes cannot be candidates for inclusion in PSUs.
Another benefit of the Patch Set Updates is the safety they provide to customers. Since the bundle of fixes included in each Patch Set Update is tested together; the risk of regression issues that could be introduced when each fix is applied separately by customers is greatly reduced.
For More Information:
• The Independent Oracle User Group (IOUG) recently posted a replay of a webcast on Database Server security patching with Bruce Lowenthal, Director for Security Alerts for Oracle, and Lois Price, Director for Product Lifecycle Services for Oracle. A significant portion of this webcast was dedicated to exploring the differences between PSUs and traditional CPU patches.
• The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
• Note 854428.1 "Patch Set Updates for Oracle Products" is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=854428.1