oracle support lifecycle

do oracle have a similar concept of support lifecycles for all their core RDBMS releases? i.e. 9i, 10g, 11g etc. By support I am specifically interested in patching, i.e. functional or security bugs? Is there anywhere you can see reamining support (in terms of dates) for all major releases?

Also are oracle security patches cumulative, specifically security patches? I.e. if you find an oracle 11g has never been patched since it was installed, is it a case of installing 1 cumulative patchset, or will you likely have to install dozens of security patches?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Geert GOracle dbaCommented:
you can check the dates here :
http://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf

patches are cumulative
install the latest patch is enough
after patching the software, you still need to run the patch update on the db

when changing from release like 11.2.0.1 to 11.2.0.4
it will require an install of the new release, additional patching, upgrading the db


there is always a patch/upgrade document included on how to apply it
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slightwv (䄆 Netminder) Commented:
>>patches are cumulative

Little correction:  Patchsets are cumulative.  Individual one-off patches are not.

You can apply one single patch for Bug-A.  Then find Bug-B and apply a patch for that and it can reintroduce Bug-A.  Trust me, I lived that.
0
pma111Author Commented:
do patchsets ever include a collection of the one off patches? Or do you need to install both patchsets and one patches for overall piece of mind?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

pma111Author Commented:
does that link essentially say 10g is no longer supported/being patched then? So staying on 10g is a risk in itself?
0
Geert GOracle dbaCommented:
yup, 10g is no longer supported since last year July.

no more patches available for download
0
slightwv (䄆 Netminder) Commented:
>>do patchsets ever include a collection of the one off patches?

That is pretty much what a patchset is.

>>does that link essentially say 10g is no longer supported/being patched then?

Correct.

>>So staying on 10g is a risk in itself?

Depends.  Just because you can no longer ask Support questions and bugs are no longer fixed, does that mean it is a 'risk'?

It is all about perspective and risk/reward.  You can probably run 10g databases for the next 10 years without a problem in most instances.  In some, 10g will fail immediately with some unknown bug/issue.

For 'most' bugs I stumble across I can find a work-around for them since it takes Oracle weeks and sometimes months/years to fix a bug.

I found a bug once in 10g that 'cannot be fixed'.  Over the weeks/months working with Support I was told the developer was looking at the line of code that caused it but could not 'fix' it.  The bug magically disappeared in the 11g rewrite.
0
Geert GOracle dbaCommented:
lol, I found a bug in 11.2.0.3 g
> they only want to fix it in 12c
hesitated 2 seconds to fix it in 11.2.0.4 and then said no to that
0
pma111Author Commented:
I think the risk in some cases is if a hacker found a vulnerability in 10g, and even if oracle knew about it, they wouldnt release a patch as the software is no longer supported, therefore if that exploit got into the public domain, any would be hacker could then target oracle 10g databases knowing they will be exploitable as a patch has never been published from oracle..
0
pma111Author Commented:
are patch sets similar to service packs in ms software?

As a general rule how many patch sets are released per version of oracle rdbms? and how many one off patches are released in between each patch set?
0
slightwv (䄆 Netminder) Commented:
>>I think the risk in some cases is if a hacker found a vulnerability in 10g

That's a risk even with current releases:  How long between the time the vulnerability is found and the time a patch is released and applied?

To also mitigate that risk:  It is likely only vulnerable to inside threats.  I hope your database isn't close to your front-end firewalls! So even a known issue should not be easily exploited.

I have this debate with our internal Security folks all the time:
Oracle isn't Windows.  You do NOT patch it just because a new patchset or critical patch is released.

See my comment above:  One patch can break others...

Oracle is good about introducing new bugs in patches to fix other ones.

Unless you have a pretty extensive test plan, don't patch Oracle just because you 'can'.

I get my security folks to leave me alone about patching when I tell them this:
I will apply any patch you all direct me to apply.  However, my work day ends at 4:30PM.  If the patch breaks something I will start working to fix it when I get back in at 8:00AM.

In other words:  You make my database 'break', I'm not working overtime or 24/7 to fix it...

To date:  I patch on my own schedule and ONLY after I have personally tested and approved the patch.
0
Geert GOracle dbaCommented:
hacker ...
first thing is getting in your network layer
that should also be patched

win2003 goes out of support next year ... :)
0
Geert GOracle dbaCommented:
lol >  I patch on my own schedule

and when the business grants you some "down" time
0
slightwv (䄆 Netminder) Commented:
>>are patch sets similar to service packs in ms software?

The 'can' be.  At times a patchset is just that, a set of patches.  Some times, as mentioned above, it is pretty much a complete software install and database upgrade/migration.

These days, it seems to be more of the latter:  Full download, full install.

>>As a general rule how many patch sets are released per version of oracle rdbms?

I think they are trying to go to a quarterly system but don't quote me on that.

They are moving from patchsets whenever and CRITICAL quarterly releases to a 'let's just do it all on a schedule'.

>>and how many one off patches are released in between each patch set?

Really no way to know this.  It 'depends'.
0
slightwv (䄆 Netminder) Commented:
>>and when the business grants you some "down" time

I am luckier than most there!  I can schedule it pretty much any time with very minimal notice.
0
Geert GOracle dbaCommented:
there is an upgrade guide which covers almost all the aspects
here is a link to the contents:
http://docs.oracle.com/cd/E11882_01/server.112/e17222/toc.htm

patching is just a portion of that ... :)
0
Geert GOracle dbaCommented:
I am luckier than most there!
> Enjoy that will it lasts ...

my next one: 4 am
so  the next team would have plenty of time for testing ... bleh
0
pma111Author Commented:
>That's a risk even with current releases:  How long between the time the vulnerability is found and the time a patch is released and applied?


agree... however, at some point they will release a patch, whereas on 10g they never would..
0
pma111Author Commented:
one more to wrap up, is there any way to query a build number? and from their determine if the latest patchsets are missing or not?sometimes there is a specific format used in the build number i.e.

version-sp-patch

other software only release bundles as opposed to one-offs so its much easier to keep tabs on.
0
Geert GOracle dbaCommented:
> whereas on 10g they never would...
money can do something about that, and a lot of convincing

it's usually cheaper to upgrade
0
Geert GOracle dbaCommented:
as slightwv has already said ... it's not really a must to be on the latest patch release
even in companies following sox

for sox, all parties need to agree to apply the patch
that means that all parties need to be informed when there is a patch first,
understand and agree it's necessary to apply it

> if they don't agree it's necessary to apply, then you're still sox compliant
however odd that may be
0
slightwv (䄆 Netminder) Commented:
>> and from their determine if the latest patchsets are missing or not?

Only 'major' patches/patchsets change version numbers.  To be honest, I have yet to figure out the reasoning.  For what is 'supposed' to be a minor release can be a full install.

For patches applited with the OPatch utility the utility will report on what has been applied:
opatch lsinventory

Howver, some minor patches just involve file copies to specific folders.  A DLL here, a .??? there...  I don't know how you figure out if those have been applied with any type of reporting.
0
pma111Author Commented:
thanks again

is there anything else "risk wise" associated with not keeping up to date with oracle patches, aside from functionality bugs and security bugs?
0
slightwv (䄆 Netminder) Commented:
Is lack of new features and possible better performance a 'risk'?

Remember: A minor number say 11.2.0.1 and 11.2.0.2 (just picked them out of the air) can really be a 'major' release with a LOT of new functionality and have major pieces of code rewritten.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Oracle Database

From novice to tech pro — start learning today.