1 2 Previous Next 23 Replies Latest reply: Aug 3, 2014 9:11 PM by MariaKarpa(MK) RSS

    July2014 Patch

      Hi all,

       

      11.2.0.3.10

      aix6

       

      When does July2014 patch be delivered?

       

       

      Thanks,

      mk

        • 1. Re: July2014 Patch
          ma365

          Hi,

           

          If you are referring to the quarterly CPU releases for the Oracle database the information can be found here : Critical Patch Updates and Security Alerts

           

          The next CPU release is scheduled for today, July 15th.

           

          Thanks

          Ma

          • 2. Re: July2014 Patch
            ma365

            PSU 11.2.0.3.10 was released in April 2014.

            • 3. Re: July2014 Patch

              Thanks Ma,

               

              We are already in 11.2.0.3.10

               

              Can you enlighten me with these patches please.

               

              We have and old applications that is running since 9i.

              Before, the Oracle Motto is, If the application is running fine don't patch it or don't break it.

              But now since we are aiming for PCI-DSS certification we need to apply PSU quarterly patch.

              Failing to apply even one will drop you from the certified list.

              I know these patches are not so much affecting our application since it has work long before.

              My question is do we need to do full regression test our app at UAT server before patching the PROD server?

              We have lots of modules that will be tested and hence very tedious to do quarterly regression test.

              Is there a certification from Oracle that there is no need to do regression test for old applications?

              Or what part of our application is affected and only the one to be tested? Just to avoid tiresome full regression test.

               

              Thanks,

              mk

              • 4. Re: July2014 Patch
                FreddieEssex

                I'm not sure that the Oracle motto is "Leave well alone":

                 

                Oracle Critical Patch Update - April 2014

                Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.

                 

                PSU are bug fixes and security patches only so shouldn't affect any of your existing functionality....(I remember reading somwehere but can't find the link).

                 

                We have lots of modules that will be tested and hence very tedious to do quarterly regression test.

                The bottom line is that if that's what you need to stay certified then that's what you need.  You could have different patching policy for different databases.  For example critical databases patched every quarter and patch non-critical databases every year or 6 months or something of the sort.  At the end of the day patching will take a DBA's time, time to plan it, time to test it which will all cost money.

                 

                Is there a certification from Oracle that there is no need to do regression test for old applications?

                To rephrase your question ..."Will Oracle quarantee everything will work the way it did after I apply a PSU patch"....I would doubt it.  However you could raise an SR and ask the question as they do state that it does not change the current database functionality.

                 

                Or what part of our application is affected and only the one to be tested? Just to avoid tiresome full regression test.

                You only need to regression test the functionality which would touch the database.  You don't need to do a full end-to-end regression test.

                 

                So look at the bugs fixed by the PSU and determine if it's less risk to skip the testing cycle or to apply the patch (probably less risky to apply the patch I would think).  So the question of do you need a full regression test depends on your risk analysis.  So if the likelihood of something "breaking" is quite low, but if the impact is high then consider a full regression test.  If the impact is low you may be able to mitigate.  In most banks for example all patches, even PSU's, would go through various test cycles before being applied into critical production dtabases.  You might apply the patch into one environment/application and test it and use this as mitigation not to test other application/databases.

                • 5. Re: July2014 Patch

                  Thanks Fred,

                   

                  So it is all subjective. It is just saying to test or not to test "at your own risk".

                   

                  It is not clear also to me which patch is needed by PCI-DSS. When I came here in this company, their Oracle consultant support was just applying the PSU patch and not CPU?

                  My understanding is they only are after the PSU security patch? Or is my understanding is wrong?

                  But when we scan the database server using NESSUS, it says clear. Does PCI-DSS need CPU too and all other patches mentioned in

                  <Moderator Edit - deleted MOS Doc content - pl do NOT post such content - it is a violation of your Support agreement>


                  Thanks,

                  • 6. Re: July2014 Patch
                    FreddieEssex

                    I don't know what PCI-DSS and NESSUS is, but PSU includes CPU's.  You can't mix and match SPU/PSU at will.  Once you go to PSU you can't easily go back to SPU.

                     

                    Also take a look at this note which addresses some of your earlier questions:

                    Patch Set Updates for Oracle Products (Doc ID 854428.1)

                     

                    <Moderator Edit - deleted MOS Doc content - pl do NOT post such content - it is a violation of your Support agreement>

                     

                    Note that it says low risk and not zero risk....so deciding whather to regression test or not would be dependant on how risk averse you/your organisation is.

                    • 7. Re: July2014 Patch

                      Thanks Fred,

                       

                      We have a meeting today with the Audit group, the QA group, and the Dev group, Security group to discuss what app test plans, scope, and coverage be done after applying the PSU patch. They decided to let the DBA evaluate first what the patch is all about and what part of the application is affected by it. They are asking if there is a tool in Oracle as  patch "simulator" for the app?

                       

                      I just told them in general the patch would not affect the app by 99.9% . But the 0.1% might affect it, and any of the modules might hit it? right?

                       

                      Thanks,

                      • 8. Re: July2014 Patch
                        chris_c

                        One thing to consider is if you need to apply the patch at all. PCI-DSS doesn't require that you apply security fixes blindly it requires that you assess each vulnerability and determine if patching is required. Often a vulnerability will require a user with specific privileges or a specific component of the database to be in use, if the risk can be mitigated without patching you have more time to asses and test the patch.

                         

                        As far as patch simulation is concerned there is the Real application Testing option, this allows you to record a production workload and replay it on a test database, useful for testing patches, upgrades and configuration changes the downside is it is an additional cost option.

                         

                        Chris

                        • 9. Re: July2014 Patch
                          FreddieEssex

                          With regards to what part of the application functionality is affected - PSU should not contain any fixes that affect existing functionality or contain anything that would change the explain plan.

                           

                          With regards to percentages, I wouldn't put such a precise figure on it.

                           

                          Bottom line is a PSU patch is low risk but not zero risk, so up to you how you handle that.  As above, if it's a critical, customer facing, revenue producing database then I would be inclined to push for a regression test.  If it's an internal database that may only impact internal users, using the fact that the patch is installed on another database with no adverse affects, might be mitigation for no testing.

                          • 10. Re: July2014 Patch

                            Thanks chris,fred

                             

                            Unfortunately we are a bank and I think any security patches must be mandatory applied, as "assessment" is subjective. The IT security officer I think will play safe also to better apply than be penalized for not recommending if he is not sure himself.

                             

                            Is this "Real application Testing option" a tool from oracle and can be downloaded?

                             

                            Thanks,

                            • 11. Re: July2014 Patch
                              Aman....

                              RAT is a part of the database itself.

                              Contents

                               

                              Aman....

                              • 12. Re: July2014 Patch

                                Thanks ALL!

                                 

                                I got the patch now :

                                 

                                <mod. action: removed the MOS note content>

                                 

                                Can you help me which of the above patch needs full regression testing from our app?
                                Or can you help me how to evaluate/assess if we need a full regression or not?
                                Thanks all
                                • 13. Re: July2014 Patch
                                  jgarry

                                  We really can't, since we don't have your system.  Also, you are not supposed to post MOS docs in public.

                                   

                                  The things you have to decide are like "are you using materialized views, hints, CLOBS, functional indices..." and all those things listed as fixed.  Of course, implicitly some things get fixed and other things get broke, that's why you decide what is important to test.  And why some people say "damn the torpedoes, full speed ahead" so they avoid being stuck in a couple of years with unsupported out of date versions where we all laugh at them.  Or at ourselves, as the case may be.

                                  • 14. Re: July2014 Patch

                                    Hi all,

                                     

                                    Eversince we start patching from PSU 1 to 10 , we have not encountered any error yet of "broken" functionality.

                                    So  I assume that the 11th patch will also be the same

                                     

                                    Does RAT really can substitute full regression test? I tried reading it but it is so complicated to implement.

                                     

                                    Has anyone here experienced a "broken" functionality after applying a PSU patch?

                                    Where can I find history list of bugs being created ("broken") as a result of applying a PSU patch?

                                     

                                     

                                    Thanks,

                                    mk

                                    1 2 Previous Next