Oracle recently confirmed that it is postponing the release of current security fixes while it constructs a monthly patch roll-up program. But do regular roll-ups really serve users needs?
Interviewed at the SHARE conference in New York, mainframe and Windows users said they see certain merits in the type of program planned by Oracle Corp. But they also emphasized the need for vendors to be flexible about update deliveries, particularly when it comes to critical fixes.
“The DBAs [database administrators] I work with have been in constant communications with Oracle about various issues. So, I can see where a regular patch roll-up program from Oracle would be a good idea,” said George DeLanty, VM manager at CitiCorp.
Windows administrators at SHARE recognized similarities and differences between Oracles plan and Microsofts Patch Tuesday program, introduced last year.
Kent L. Hillman, a tech support staffer for the state of Missouri, said he finds Patch Tuesday helpful in planning the testing and implementation of Windows 2003 servers. But Hillman also said he wants to be able to download critical fixes from Microsoft as soon as those patches are ready.
Oracles first monthly roll-up, slated for release Aug. 31, will include patches for vulnerabilities the vendor has known about since January and February. The patches are for Oracle Database, Application Server and Enterprise Manager.
The vulnerabilities have been already been fixed in base development, the main code base for Oracle software, an Oracle spokeswoman said. She attributed the delay to a company policy that requires all significant security issues to be fixed at the same time, on all supported platforms and releases.
For its part, CitiCorp has large numbers of Oracle datasets running on both the Linux and MVS platform, according to DeLanty. The company is operating nine instances of Oracle on Novells SuSE Linux in production mode, and 100 instances in test mode. CitiCorp is also running IBMs competing DB2 database on MVS, using DB2 Connect to link to Linux environments.
“We now have a requirement to run Oracle on Linux,” DeLanty said. “If users are querying over the Web, it works better if the database is closer to the Web.”
DeLanty added that CitiCorp has been getting frequent software updates to SuSE Linux via a subscription service operated by Novell.
As VM manager, however, DeLanty oversees mainframe OS updates. Like other attendees interviewed at SHARE, an IBM users conference, DeLanty wanted to focus his comments about software updates around the products he knows best. Like other mainframe administrators at the show, he indicated that IBM provides a wide range of choice over when and how to update the OS.
“We do most of our updates through FTP downloads. But if the updates get too voluminous, we have a CD or a tape shipped over,” DeLanty said.
In contrast, Banco Bradesco in Brazil updates its mainframe feature set every six months, applying critical hot fixes in between only on an “as-needed” basis, according to Jose Augusto Oliveira, manager at the bank. “Unfortunately, we dont have time to do major updates more often than this,” he said.
Also expressing a range of different update preferences were administrators at installations expanding from IBM mainframes into Microsoft Windows.
Software developer Eclipsys Corp. receives regular OS updates from IBM to support its mainframe-based products, according to Steve Barnness, the ISVs systems program manager.
But in other areas, Eclipsys is satisfied with “as-needed” updates, he said. New features in Eclipsys homegrown health care application constitute one example. Also, “as-needed” Windows software updates are adequate for a .NET port the vendors been performing.
Meanwhile, at the state of Missouri, most of the Windows 2003 servers now in use are being deployed as Exchange mail servers, according to Hillman.
“At the moment, once a month is good for software roll-ups from Microsoft. But that could change at any time, depending on our needs,” Hillman said.