If you analyze Oracle's Critical Patch Update for October 2006 Advisory and look for any vulnerabilities affecting the Oracle Database version 126.96.36.199, you will see in the "Oracle Database Risk Matrix" that there are no vulnerabilities for 188.8.131.52. In the "Supported Products and Components Affected" section, 184.108.40.206 is not listed. In the initial release on October 17th of the "Critical Patch Update Availability for Oracle Server and Middleware Products" (MetaLink Note ID 391563.1), for 220.127.116.11 on Unix/Linux and Windows was listed as "not applicable".
So then way did Oracle Support on October 19th change the patch availability for 18.104.22.168 and list a patch being available for 22.214.171.124 on November 15th?
Oracle first fixes security bugs in the current code-line (in this case 126.96.36.199) and then backports the fixes to previous versions. It is not uncommon for a recently released patchset to include all the CPU security fixes, especially since Oracle takes 6-24 months to fix most bugs. 188.8.131.52 was generally released for the major operating system the week of August 21st. In the case of the 5 publicly announced bugs discovered by Red Database Security, 4 were reported to Oracle in November 2005 (DB01, DB04, DB10, DB15) and 1 in April 2006 (DB13). Clearly enough time for Oracle to fix these bugs and include them in the August release of 184.108.40.206.
So at this point it is unclear what is actually fixed by the 220.127.116.11 CPU patch. 18.104.22.168 already includes all the previous CPU patches, therefore, what has been discovered missing from 22.214.171.124?
For planning purposes be sure to include 126.96.36.199 on your list of to be patched databases.
Special thanks to Matt Penny for pointing out the change in status for 188.8.131.52.