Risk: Informational
Oracle have announced plans to adopt a quarterly security patch cycle. The enterprise software giant says that adopting a fixed delivery schedule will make it easier for customers to plan updates and thereby help them reduce costs.
The updates are scheduled to be issued to customers simultaneously via Oracle's support web site, MetaLink, next year on 18 January, 12 April, 12 July and 18 October. Products to be covered under the new patching regime include Oracle Application Server, Oracle Database, Oracle E-Business Suite, Oracle Enterprise Manager and Oracle Collaboration Suite. Oracle previously said it would issue patches monthly, like Microsoft, it's now come round to the view that once every three months is frequent enough. Oracle said that releasing security updates as a "single, well-integrated and well-tested patch that fixes multiple, high-priority vulnerabilities" will help to reduce the costs of applying patches.
The software giant argues that reacting to unscheduled "surprise" patch alerts makes this difficult for customers. Whilst there's some truth in this Oracle ought to consider the possible impact of having an unfixed security bug across its customer base for months on end. Oracle's public pronouncement doesn't give much room for manoeuvre but we hope the database giant has the good sense to issue an emergency fix in circumstances where a security flaw is been actively exploited.