While DBAs say quarterly patch rollups will serve them better than monthly ones, they and analysts stress that Oracle needs to give more details on the consequences of not applying its patches.
In switching to a schedule of quarterly patch rollup releases,
Oracle Corp. is sparing grateful DBAs and customers from the constant patching of monthly releases, to which the company originally alluded three months ago.
"We began talking about going to a regularly scheduled delivery model for patch delivery over the last year," Oracle chief security officer Mary Ann Davidson said Thursday in a conference call with journalists.
"We found that customers would prefer to get things on a schedule they can plan around that fixes multiple things, as opposed to patching on, say, a Wednesday or a Thursday, being forced to drop [other tasks], and patching under duress."
Click here to read about Oracles earlier decision to patch monthly.
Duress is certainly what customers feel when facing monthly patching, according to Ian Abramson, chief technology officer at Red Sky Data Inc., in Toronto.
"Its a good idea to decrease the frequency," Abramson said. "[Database administrators] have enough to do now. If they put out a patch every month, theres no way theyre doing anything but installing patches," what with testing the patch, backing up the system in question and then installing the patch, he said.
When people speak of monthly patch releases, they are of course talking about Microsoft Corp.s patch release schedule. Whereas most agree that copying Microsofts schedule
would put an undue burden on already maxed-out DBAs, some say they would encourage Oracle to copy its rival in other ways, such as picking up on the automatic patch update capability and tools built into Microsofts infrastructure.
"Microsoft has spent a lot of time and money making the patching process easy and fast," said Aaron Newman, database security expert, chief technology officer and co-founder of Application Security Inc., in New York.
"With auto update and tools that make it pretty simple to roll out, you have the facility to roll a patch out to 5,000 servers. Oracle doesnt have the ability to roll out patches to 5,000 servers," at least not easily, Newman said, given the fact that it takes four to five hours to research a patch, back up the database, test the patch and install it.
Not everybody thinks the click-here scenario is appetizing when it comes to Oracle systems, however. "In theory I like it.
But Im not willing to trust that to a point-and-click scenario," Abramson said. "You dont want it to be too simple so that anybody who does it may not have the knowledge to do it.
"I would like to see Oracle simplify [patch installation], because it would be nice to just click and get updates, and part of the database installer would be that it just downloads a patch and starts the installer.
But if its just point and click, its a little too easy to install [something like Windows Service Pack 2, about which many complaints have been lodged].
"Things go critically wrong, and your business ends up further behind than they would have been had they been a little more careful with the installation," he said. "Its too easy to hit yes to continue when you should have hit no."
No further patch details forthcoming.