Oracle Critical Patch Updates - Types of Fixes in Database Patches

An issue in applying Oracle Critical Patch Update (CPU) database security patches has been that the patches may include non-security related fixes.  The list of bugs fixed in the database patch readme is cryptic at best and it can be difficult to to determine the true impact of a specific CPU patch.  By including non-security related fixes in the CPU patch reduces the confidence that the patch will not break something.

With the introduction of the "n-apply" patch structure for 10.2.0.3 in the July 2007 CPU, Oracle's policy changed for 10.2.0.3 and later patchsets in that non-security fixes are no longer included in the CPU patches.  From Metalink Note ID 209768.1 Software Error Correction Policy 2.1 -

Starting with Database patch set 10.2.0.3, CPUs have security fixes and any pre-requisite non-security fixes, but no longer contain non-security fixes introduced to resolve patch conflicts.  Even though Oracle intends to include mainly security fixes in CPUs, we may decide to include high-priority non-security fixes. We will always identify them in the CPU documentation.

This policy is for non-Windows platforms as the Windows CPU database patches are still released as patch bundles (e.g., Patch 16).

The disadvantage of this new policy is that some customers will experience a greater number of patch conflicts requiring merge patches.  The "n-apply" patch structure does allow for partial patch installation which reduces the overall exposure and fixes most of the security bugs while waiting for Oracle to create a merge patch.