Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1609
  • Last Modified:

oracle support lifecycle

do oracle have a similar concept of support lifecycles for all their core RDBMS releases? i.e. 9i, 10g, 11g etc. By support I am specifically interested in patching, i.e. functional or security bugs? Is there anywhere you can see reamining support (in terms of dates) for all major releases?

Also are oracle security patches cumulative, specifically security patches? I.e. if you find an oracle 11g has never been patched since it was installed, is it a case of installing 1 cumulative patchset, or will you likely have to install dozens of security patches?
0
pma111
Asked:
pma111
  • 9
  • 7
  • 7
2 Solutions
 
Geert GruwezOracle dbaCommented:
you can check the dates here :
http://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf

patches are cumulative
install the latest patch is enough
after patching the software, you still need to run the patch update on the db

when changing from release like 11.2.0.1 to 11.2.0.4
it will require an install of the new release, additional patching, upgrading the db


there is always a patch/upgrade document included on how to apply it
0
 
slightwv (䄆 Netminder) Commented:
>>patches are cumulative

Little correction:  Patchsets are cumulative.  Individual one-off patches are not.

You can apply one single patch for Bug-A.  Then find Bug-B and apply a patch for that and it can reintroduce Bug-A.  Trust me, I lived that.
0
 
pma111Author Commented:
do patchsets ever include a collection of the one off patches? Or do you need to install both patchsets and one patches for overall piece of mind?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
pma111Author Commented:
does that link essentially say 10g is no longer supported/being patched then? So staying on 10g is a risk in itself?
0
 
Geert GruwezOracle dbaCommented:
yup, 10g is no longer supported since last year July.

no more patches available for download
0
 
slightwv (䄆 Netminder) Commented:
>>do patchsets ever include a collection of the one off patches?

That is pretty much what a patchset is.

>>does that link essentially say 10g is no longer supported/being patched then?

Correct.

>>So staying on 10g is a risk in itself?

Depends.  Just because you can no longer ask Support questions and bugs are no longer fixed, does that mean it is a 'risk'?

It is all about perspective and risk/reward.  You can probably run 10g databases for the next 10 years without a problem in most instances.  In some, 10g will fail immediately with some unknown bug/issue.

For 'most' bugs I stumble across I can find a work-around for them since it takes Oracle weeks and sometimes months/years to fix a bug.

I found a bug once in 10g that 'cannot be fixed'.  Over the weeks/months working with Support I was told the developer was looking at the line of code that caused it but could not 'fix' it.  The bug magically disappeared in the 11g rewrite.
0
 
Geert GruwezOracle dbaCommented:
lol, I found a bug in 11.2.0.3 g
> they only want to fix it in 12c
hesitated 2 seconds to fix it in 11.2.0.4 and then said no to that
0
 
pma111Author Commented:
I think the risk in some cases is if a hacker found a vulnerability in 10g, and even if oracle knew about it, they wouldnt release a patch as the software is no longer supported, therefore if that exploit got into the public domain, any would be hacker could then target oracle 10g databases knowing they will be exploitable as a patch has never been published from oracle..
0
 
pma111Author Commented:
are patch sets similar to service packs in ms software?

As a general rule how many patch sets are released per version of oracle rdbms? and how many one off patches are released in between each patch set?
0
 
slightwv (䄆 Netminder) Commented:
>>I think the risk in some cases is if a hacker found a vulnerability in 10g

That's a risk even with current releases:  How long between the time the vulnerability is found and the time a patch is released and applied?

To also mitigate that risk:  It is likely only vulnerable to inside threats.  I hope your database isn't close to your front-end firewalls! So even a known issue should not be easily exploited.

I have this debate with our internal Security folks all the time:
Oracle isn't Windows.  You do NOT patch it just because a new patchset or critical patch is released.

See my comment above:  One patch can break others...

Oracle is good about introducing new bugs in patches to fix other ones.

Unless you have a pretty extensive test plan, don't patch Oracle just because you 'can'.

I get my security folks to leave me alone about patching when I tell them this:
I will apply any patch you all direct me to apply.  However, my work day ends at 4:30PM.  If the patch breaks something I will start working to fix it when I get back in at 8:00AM.

In other words:  You make my database 'break', I'm not working overtime or 24/7 to fix it...

To date:  I patch on my own schedule and ONLY after I have personally tested and approved the patch.
0
 
Geert GruwezOracle dbaCommented:
hacker ...
first thing is getting in your network layer
that should also be patched

win2003 goes out of support next year ... :)
0
 
Geert GruwezOracle dbaCommented:
lol >  I patch on my own schedule

and when the business grants you some "down" time
0
 
slightwv (䄆 Netminder) Commented:
>>are patch sets similar to service packs in ms software?

The 'can' be.  At times a patchset is just that, a set of patches.  Some times, as mentioned above, it is pretty much a complete software install and database upgrade/migration.

These days, it seems to be more of the latter:  Full download, full install.

>>As a general rule how many patch sets are released per version of oracle rdbms?

I think they are trying to go to a quarterly system but don't quote me on that.

They are moving from patchsets whenever and CRITICAL quarterly releases to a 'let's just do it all on a schedule'.

>>and how many one off patches are released in between each patch set?

Really no way to know this.  It 'depends'.
0
 
slightwv (䄆 Netminder) Commented:
>>and when the business grants you some "down" time

I am luckier than most there!  I can schedule it pretty much any time with very minimal notice.
0
 
Geert GruwezOracle dbaCommented:
there is an upgrade guide which covers almost all the aspects
here is a link to the contents:
http://docs.oracle.com/cd/E11882_01/server.112/e17222/toc.htm

patching is just a portion of that ... :)
0
 
Geert GruwezOracle dbaCommented:
I am luckier than most there!
> Enjoy that will it lasts ...

my next one: 4 am
so  the next team would have plenty of time for testing ... bleh
0
 
pma111Author Commented:
>That's a risk even with current releases:  How long between the time the vulnerability is found and the time a patch is released and applied?


agree... however, at some point they will release a patch, whereas on 10g they never would..
0
 
pma111Author Commented:
one more to wrap up, is there any way to query a build number? and from their determine if the latest patchsets are missing or not?sometimes there is a specific format used in the build number i.e.

version-sp-patch

other software only release bundles as opposed to one-offs so its much easier to keep tabs on.
0
 
Geert GruwezOracle dbaCommented:
> whereas on 10g they never would...
money can do something about that, and a lot of convincing

it's usually cheaper to upgrade
0
 
Geert GruwezOracle dbaCommented:
as slightwv has already said ... it's not really a must to be on the latest patch release
even in companies following sox

for sox, all parties need to agree to apply the patch
that means that all parties need to be informed when there is a patch first,
understand and agree it's necessary to apply it

> if they don't agree it's necessary to apply, then you're still sox compliant
however odd that may be
0
 
slightwv (䄆 Netminder) Commented:
>> and from their determine if the latest patchsets are missing or not?

Only 'major' patches/patchsets change version numbers.  To be honest, I have yet to figure out the reasoning.  For what is 'supposed' to be a minor release can be a full install.

For patches applited with the OPatch utility the utility will report on what has been applied:
opatch lsinventory

Howver, some minor patches just involve file copies to specific folders.  A DLL here, a .??? there...  I don't know how you figure out if those have been applied with any type of reporting.
0
 
pma111Author Commented:
thanks again

is there anything else "risk wise" associated with not keeping up to date with oracle patches, aside from functionality bugs and security bugs?
0
 
slightwv (䄆 Netminder) Commented:
Is lack of new features and possible better performance a 'risk'?

Remember: A minor number say 11.2.0.1 and 11.2.0.2 (just picked them out of the air) can really be a 'major' release with a LOT of new functionality and have major pieces of code rewritten.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now