Plan ahead.  Plan for Quarterly updates for Security patches and integrate plans to put these Critical Patch Updates (CPUs) into your Release Management and Release Planning process.  Here are some important notes from MetaLink Note 360470.1, “Oracle Critical Patch updates and Security Alerts Frequently Asked Questions”

“In January of 2005, we changed the method and schedule by which we deliver security patch updates and security fixes for all of their products. A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Oracle provides CPUs for all product offerings on a quarterly schedule.  Customers prefer to have a regular, planned schedule for patching their systems.  After surveying customers across a variety of industries, we found that a quarterly process strikes a balance between issuing patches so frequently that customers cannot keep up with them, and so infrequently that customers may be exposed to an un-patched and serious security vulnerability.”

Prior to the Critical Patch Update Program, the Oracle Security Alert was the primary means of releasing security fixes for Oracle products.  After the introduction of the Critical Patch Update Program, Oracle may occasionally issue a Security Alert in cases where we are releasing an interim (one-off) security patch in advance of a Critical Patch Update.  I strongly recommend applying Oracle’s Critical Patch Updates (CPUs) on a quarterly basis, shortly after they are released.  Note that extensive testing is often required, as these “updates” often are product upgrades to the Applications technology stack and need to be thoroughly tested.  You should also watch for Oracle’s occasional security alerts – if they are released separately from the CPU, then the security issue is likely to be a very serious one.  The Oracle Alerts are located at:  http://www.oracle.com/technology/deploy/security/alerts.htm  Keep in mind that if you’ve received notification of a security issue, so have potential hackers!

An important note is that in general, CPU patches for Oracle technology stack products are cumulative – you can apply the most recent patch and you get patches for all of the prior CPUs.  However, patches for the E-Business Suite are NOT cumulative, so if you get behind, you have to apply all of the patches from the prior CPUs.  

The pertinent MetaLink notes on past CPUs are located below:

The CPU patches are released on the Tuesday closest to the 15th day of January, April, July and October.  The next four dates are listed below and you should plan these into your release management schedule.

• 17 April 2007
• 17 July 2007
• 16 October 2007
• 15 January 2008