Oracle Adds Pre-Release Announcements to Critical Patch Update Process

Oracle is now going to publish a "Pre-Release Announcement" for each Critical Patch Update starting with the CPU to be released next week.  The Pre-Release Announcement contains the executive summaries, list of affected products, and the highest CVSS score for each product.  The January 2007 CPU Pre-Release Announcement is available here.

In the short-term, I don't think it will have much of an impact on your planning as there is such a back-log of open security bugs, all the CPUs to-date and in the foreseeable future are very similar in scope and severity.  There are a few instances where the pre-announcement will be helpful to a customer -

• Oracle Application Server implementations that are connected to the Internet  - customers should be prioritizing these servers for patching.
• Internet Accessible Oracle Applications modules (iStore, iSupplier, etc) - again these implementations should be prioritize and downtime scheduled to apply these patches based on the CPU announcement.
• Applications that are not routinely in a CPU (PeopleSoft, Siebel, JD Edwards, Oracle Collaboration Suite, Oracle Pharmaceutical, Oracle Retail, etc.) - at least you will know to look or not look at the CPU.

If and when the number of fixed security bugs reaches a more manageable number, then the announcement will be more useful and provide an indicator of what to expect in the CPU.

Customers should push Oracle to have the pre-announcement released earlier than 5 days before the CPU.  I would suggest at least the Monday or Tuesday prior to allow for the necessary approvals and notification for downtime the weekend following the CPU release or the end of the month.