Software vulnerabilities, flaws in software which might result in compromising the security controls provided by the affected systems, can greatly impact the security posture of an organization. As a result, it is critical that organizations adopt appropriate policies and procedures to deal with security patches to effectively remediate these vulnerabilities when the patches become available.
Critical Patch Updates
In January 2005, the Critical Patch Update (CPU) became Oracle’s primary mechanism for the release of security patches for all its products. Today, the CPU program has vocation to provide security fixes for hundreds of different Oracle products. The program is designed to address two strategic goals:
(1) Providing Oracle customers with a cost effective security vulnerability remediation program, and
(2) Maintaining the best possible security posture for Oracle customers before and after the release of the security fixes by Oracle.
Schedule of the Critical Patch Update
Since the inception of the Critical Patch Update program, Critical Patch Updates were released on the Tuesdays closest to the 15th of the months of January, April, July, October. However, starting in January 2011, the Critical Patch Updates will be released on the Tuesdays closest to the 17th of the months of January, April, July, and October. The Critical Patch Updates and Security Alerts page on Oracle’s web site always list the dates of release for the next four Critical Patch Updates, thus effectively providing a one year notice to customers. On the Thursday before the release of each CPU, a Pre-Release Advisory is published by Oracle. Boththe Pre-Release Advisory and the CPU Release Documentation are posted on the Critical Patch Updates and Security Alerts page on Oracle’s web site located at