Solved

oracle support lifecycle

Posted on 2014-02-27
23
1,302 Views
Last Modified: 2014-03-03
do oracle have a similar concept of support lifecycles for all their core RDBMS releases? i.e. 9i, 10g, 11g etc. By support I am specifically interested in patching, i.e. functional or security bugs? Is there anywhere you can see reamining support (in terms of dates) for all major releases?

Also are oracle security patches cumulative, specifically security patches? I.e. if you find an oracle 11g has never been patched since it was installed, is it a case of installing 1 cumulative patchset, or will you likely have to install dozens of security patches?
0
Comment
Question by:pma111
  • 9
  • 7
  • 7
23 Comments
 
LVL 36

Accepted Solution

by:
Geert Gruwez earned 250 total points
ID: 39891674
you can check the dates here :
http://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf

patches are cumulative
install the latest patch is enough
after patching the software, you still need to run the patch update on the db

when changing from release like 11.2.0.1 to 11.2.0.4
it will require an install of the new release, additional patching, upgrading the db


there is always a patch/upgrade document included on how to apply it
0
 
LVL 76

Assisted Solution

by:slightwv (䄆 Netminder)
slightwv (䄆 Netminder) earned 250 total points
ID: 39891699
>>patches are cumulative

Little correction:  Patchsets are cumulative.  Individual one-off patches are not.

You can apply one single patch for Bug-A.  Then find Bug-B and apply a patch for that and it can reintroduce Bug-A.  Trust me, I lived that.
0
 
LVL 3

Author Comment

by:pma111
ID: 39891708
do patchsets ever include a collection of the one off patches? Or do you need to install both patchsets and one patches for overall piece of mind?
0
 
LVL 3

Author Comment

by:pma111
ID: 39891714
does that link essentially say 10g is no longer supported/being patched then? So staying on 10g is a risk in itself?
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891730
yup, 10g is no longer supported since last year July.

no more patches available for download
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39891736
>>do patchsets ever include a collection of the one off patches?

That is pretty much what a patchset is.

>>does that link essentially say 10g is no longer supported/being patched then?

Correct.

>>So staying on 10g is a risk in itself?

Depends.  Just because you can no longer ask Support questions and bugs are no longer fixed, does that mean it is a 'risk'?

It is all about perspective and risk/reward.  You can probably run 10g databases for the next 10 years without a problem in most instances.  In some, 10g will fail immediately with some unknown bug/issue.

For 'most' bugs I stumble across I can find a work-around for them since it takes Oracle weeks and sometimes months/years to fix a bug.

I found a bug once in 10g that 'cannot be fixed'.  Over the weeks/months working with Support I was told the developer was looking at the line of code that caused it but could not 'fix' it.  The bug magically disappeared in the 11g rewrite.
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891742
lol, I found a bug in 11.2.0.3 g
> they only want to fix it in 12c
hesitated 2 seconds to fix it in 11.2.0.4 and then said no to that
0
 
LVL 3

Author Comment

by:pma111
ID: 39891744
I think the risk in some cases is if a hacker found a vulnerability in 10g, and even if oracle knew about it, they wouldnt release a patch as the software is no longer supported, therefore if that exploit got into the public domain, any would be hacker could then target oracle 10g databases knowing they will be exploitable as a patch has never been published from oracle..
0
 
LVL 3

Author Comment

by:pma111
ID: 39891758
are patch sets similar to service packs in ms software?

As a general rule how many patch sets are released per version of oracle rdbms? and how many one off patches are released in between each patch set?
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39891767
>>I think the risk in some cases is if a hacker found a vulnerability in 10g

That's a risk even with current releases:  How long between the time the vulnerability is found and the time a patch is released and applied?

To also mitigate that risk:  It is likely only vulnerable to inside threats.  I hope your database isn't close to your front-end firewalls! So even a known issue should not be easily exploited.

I have this debate with our internal Security folks all the time:
Oracle isn't Windows.  You do NOT patch it just because a new patchset or critical patch is released.

See my comment above:  One patch can break others...

Oracle is good about introducing new bugs in patches to fix other ones.

Unless you have a pretty extensive test plan, don't patch Oracle just because you 'can'.

I get my security folks to leave me alone about patching when I tell them this:
I will apply any patch you all direct me to apply.  However, my work day ends at 4:30PM.  If the patch breaks something I will start working to fix it when I get back in at 8:00AM.

In other words:  You make my database 'break', I'm not working overtime or 24/7 to fix it...

To date:  I patch on my own schedule and ONLY after I have personally tested and approved the patch.
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891769
hacker ...
first thing is getting in your network layer
that should also be patched

win2003 goes out of support next year ... :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891774
lol >  I patch on my own schedule

and when the business grants you some "down" time
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39891776
>>are patch sets similar to service packs in ms software?

The 'can' be.  At times a patchset is just that, a set of patches.  Some times, as mentioned above, it is pretty much a complete software install and database upgrade/migration.

These days, it seems to be more of the latter:  Full download, full install.

>>As a general rule how many patch sets are released per version of oracle rdbms?

I think they are trying to go to a quarterly system but don't quote me on that.

They are moving from patchsets whenever and CRITICAL quarterly releases to a 'let's just do it all on a schedule'.

>>and how many one off patches are released in between each patch set?

Really no way to know this.  It 'depends'.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39891779
>>and when the business grants you some "down" time

I am luckier than most there!  I can schedule it pretty much any time with very minimal notice.
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891782
there is an upgrade guide which covers almost all the aspects
here is a link to the contents:
http://docs.oracle.com/cd/E11882_01/server.112/e17222/toc.htm

patching is just a portion of that ... :)
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891784
I am luckier than most there!
> Enjoy that will it lasts ...

my next one: 4 am
so  the next team would have plenty of time for testing ... bleh
0
 
LVL 3

Author Comment

by:pma111
ID: 39891836
>That's a risk even with current releases:  How long between the time the vulnerability is found and the time a patch is released and applied?


agree... however, at some point they will release a patch, whereas on 10g they never would..
0
 
LVL 3

Author Comment

by:pma111
ID: 39891843
one more to wrap up, is there any way to query a build number? and from their determine if the latest patchsets are missing or not?sometimes there is a specific format used in the build number i.e.

version-sp-patch

other software only release bundles as opposed to one-offs so its much easier to keep tabs on.
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891846
> whereas on 10g they never would...
money can do something about that, and a lot of convincing

it's usually cheaper to upgrade
0
 
LVL 36

Expert Comment

by:Geert Gruwez
ID: 39891861
as slightwv has already said ... it's not really a must to be on the latest patch release
even in companies following sox

for sox, all parties need to agree to apply the patch
that means that all parties need to be informed when there is a patch first,
understand and agree it's necessary to apply it

> if they don't agree it's necessary to apply, then you're still sox compliant
however odd that may be
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39891900
>> and from their determine if the latest patchsets are missing or not?

Only 'major' patches/patchsets change version numbers.  To be honest, I have yet to figure out the reasoning.  For what is 'supposed' to be a minor release can be a full install.

For patches applited with the OPatch utility the utility will report on what has been applied:
opatch lsinventory

Howver, some minor patches just involve file copies to specific folders.  A DLL here, a .??? there...  I don't know how you figure out if those have been applied with any type of reporting.
0
 
LVL 3

Author Comment

by:pma111
ID: 39891945
thanks again

is there anything else "risk wise" associated with not keeping up to date with oracle patches, aside from functionality bugs and security bugs?
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39891954
Is lack of new features and possible better performance a 'risk'?

Remember: A minor number say 11.2.0.1 and 11.2.0.2 (just picked them out of the air) can really be a 'major' release with a LOT of new functionality and have major pieces of code rewritten.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
SQL Command Tool comes with APEX under SQL Workshop. It helps us to make changes on the database directly using a graphical user interface. This helps us writing any SQL/ PLSQL queries and execute it on the database and we can create any database ob…
This video shows information on the Oracle Data Dictionary, starting with the Oracle documentation, explaining the different types of Data Dictionary views available by group and permissions as well as giving examples on how to retrieve data from th…
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now