CPU October 2006 and 9.2.0.8 Mystery Patch

If you analyze Oracle's Critical Patch Update for October 2006 Advisory and look for any vulnerabilities affecting the Oracle Database version 9.2.0.8, you will see in the "Oracle Database Risk Matrix" that there are no vulnerabilities for 9.2.0.8.  In the "Supported Products and Components Affected" section, 9.2.0.8 is not listed.  In the initial release on October 17th of the "Critical Patch Update Availability for Oracle Server and Middleware Products" (MetaLink Note ID 391563.1), for 9.2.0.8 on Unix/Linux and Windows was listed as "not applicable".

So then way did Oracle Support on October 19th change the patch availability for 9.2.0.8 and list a patch being available for 9.2.0.8 on November 15th?

Oracle first fixes security bugs in the current code-line (in this case 9.2.0.8) and then backports the fixes to previous versions.  It is not uncommon for a recently released patchset to include all the CPU security fixes, especially since Oracle takes 6-24 months to fix most bugs.  9.2.0.8 was generally released for the major operating system the week of August 21st.  In the case of the 5 publicly announced bugs discovered by Red Database Security, 4 were reported to Oracle in November 2005 (DB01, DB04, DB10, DB15) and 1 in April 2006 (DB13).  Clearly enough time for Oracle to fix these bugs and include them in the August release of 9.2.0.8. 

So at this point it is unclear what is actually fixed by the 9.2.0.8 CPU patch.  9.2.0.8 already includes all the previous CPU patches, therefore, what has been discovered missing from 9.2.0.8?

For planning purposes be sure to include 9.2.0.8 on your list of to be patched databases.

Special thanks to Matt Penny for pointing out the change in status for 9.2.0.8.