Select Page

Is it Really That Critical to Patch? Oracle CPU Patching

Author: Cindy Putnam | | April 18, 2019

Every quarter, Oracle releases a quarterly CPU patch (Critical Patch Update) and PSU (Patch Set Update) as security updates and fixes to flaws for remediation of Oracle security vulnerabilities. As expected, Oracle advertises DBAs should apply these patches to the binaries as “highly recommended” or “critical”.

However, a recent survey of Oracle DBAs indicated that only one-third of DBAs have ever applied a CPU or PSU patch. So, are these “critical” patches really that necessary?  Short answer: YES!

Benefits of Patching

Oracle recommends that customers apply the Critical Patch Updates when they become available to ensure proper security measures and address any known security risks. However, immediate and systematic application of every security patch on an ongoing basis for all production systems may be difficult for some organizations because of the complexity of the environment or due to production requirements. Therefore, Oracle has intentionally designed the Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, and Oracle E-Business Suite R12 patches to be cumulative. As a result, each CPU for these products contains the security fixes from ALL previous Critical Patch Updates. The benefit for customers is clear: applying the most recent Critical Patch Update will install all the fixes that were previously released for these products.

DBAs, who are applying the most recent patch sets also get the benefit of previously released security fixes. That is because security fixes are also included in patch sets and in new product releases (Oracle’s policy is to first fix security vulnerabilities in the current code, i.e., the code used for the next release of the product). The inclusion of security fixes in patch sets and product releases provides customers more patching flexibility, effectively allowing those who are planning to deploy the most recent patch set to “skip” applying of a Critical Patch Update.

It is best practice to apply the patches to lower environments prior to the production environment. After sufficient testing and analysis are completed, then the patch may be applied to the production environment. It is always a good idea to check AWR and ADDR reports for the databases and compare significant differences before patch applications into a production environment such as optimizer paths.

Disadvantages of Patching

So why don’t DBAs or companies require DBAs to keep current with the known security flaws and apply the patches quarterly?

The most significant reason is time. The time to apply the patches varies for each patch and the size of the database. Some patches simply update the binaries and a bounce of the database, while others require the binary update and a data dictionary update and can sometimes take a bit of time.  Multiply that by 2-5 lower environments and suddenly you’re talking about a significant amount of time to implement these patches (not to mention time for testing). Some organizations simply cannot afford the time for patches.

The decision to regularly apply the CPU or PSU patches rests with management and business owners depending on whether the risk of possible security breaches is worth the time to apply the patches. It’s an ongoing discussion. Most security-conscious organizations require mandatory patching regardless of all other considerations.


Most DBAs and organizations that do not regularly apply security patches are wary of the complications that may be introduced to the environment. Oracle has done a commendable job lately to mitigate these concerns, and CPU and PSU patching has become much less complicated and much more straightforward.

Need support applying Oracle database patches? Contact our experience Oracle database team today. We can give you the support you need when you need so you can continue to focus on strategic initiatives that will move your organization forward.

How to Solve the Oracle Error ORA-12154: TNS:could not resolve the connect identifier specified

The “ORA-12154: TNS Oracle error message is very common for database administrators. Learn how to diagnose & resolve this common issue here today.

Vijay Muthu | February 4, 2021

Data Types: The Importance of Choosing the Correct Data Type

Most DBAs have struggled with the pros and cons of choosing one data type over another. This blog post discusses different situations.

Craig Mullins | October 11, 2017

How to Recover a Table from an Oracle 12c RMAN Backup

Our database experts explain how to recover and restore a table from an Oracle 12c RMAN Backup with this step-by-step blog. Read more.

Megan Elphingstone | February 2, 2017

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.


Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.