As I have previously discussed (here and here), Oracle is requiring recent ATG rollup patches to be installed as prerequisites for the Critical Patch Updates. The ATG_PF rollups are generally released every 6 months. For ATG_PF.H the following rollups have been released --
CU1 = February 2005
CU2 = July 2005
RUP3 = February 2006
RUP4 = August 2006
The rollup patches are latest code for AOL, Alerts, Oracle Applications Framework, Oracle Applications Manager, Workflow, XML Gateway, User Management, and CRM Technology Foundation to name just a few of the modules. Also included are recent AutoConfig template files. These are significant patches and need to be thoroughly regression tested.
RUP3 is the minimum requirement for the October 2006 Critical Update Update. Starting with the July 2007 CPU, you must be running at least RUPn-1 (where n is the current RUP). The January 2007 and April 2007 CPUs most likely will require at least RUP3.
Based on timing, this means to apply CPU patches in the future, you will have to at least to have tested and applied a major ATG_PF patch in previous 8 months. The rollups also require the latest AD patchset (e.g., AD.I.4) be applied and the database to be at least 9i. For implementations running Oracle Application Server 10g integration, the latest integration patches must be applied.
Many implementations do not apply technology patches on a regular basis, but require CPUs to be installed within 60-180 days. Security sensitive organizations have to make sure their internal release and upgrade timelines are in sync with the Oracle RUP releases. Annual upgrade schedules probably have to be abandoned in favor of quarterly or semi-annual technology upgrades. At least every 6 months, an ATG RUP, AD minipack, and database upgrade are probably required moving forward.
Our recommendation is still to prioritize and install the latest cumulative database security patch within 30 to 60 days, which corrects the largest number, most critical, and easiest to exploit vulnerabilities. Feedback from our clients show very few problems with the database security patches and some companies are moving to minimal testing for these patches. Oracle Applications patches should be addressed next and coincide with a quarterly or semi-annual technology upgrade schedule. Application Server patches are often not as critical as the database and application patches, therefore, these patches should be prioritized last for non-Internet implementations.