An issue in applying Oracle Critical Patch Update (CPU) database security patches has been that the patches may include non-security related fixes. The list of bugs fixed in the database patch readme is cryptic at best and it can be difficult to to determine the true impact of a specific CPU patch. By including non-security related fixes in the CPU patch reduces the confidence that the patch will not break something.
With the introduction of the "n-apply" patch structure for 10.2.0.3 in the July 2007 CPU, Oracle's policy changed for 10.2.0.3 and later patchsets in that non-security fixes are no longer included in the CPU patches. From Metalink Note ID 209768.1 Software Error Correction Policy 2.1 -
Starting with Database patch set 10.2.0.3, CPUs have security fixes and any pre-requisite non-security fixes, but no longer contain non-security fixes introduced to resolve patch conflicts. Even though Oracle intends to include mainly security fixes in CPUs, we may decide to include high-priority non-security fixes. We will always identify them in the CPU documentation.
This policy is for non-Windows platforms as the Windows CPU database patches are still released as patch bundles (e.g., Patch 16).
The disadvantage of this new policy is that some customers will experience a greater number of patch conflicts requiring merge patches. The "n-apply" patch structure does allow for partial patch installation which reduces the overall exposure and fixes most of the security bugs while waiting for Oracle to create a merge patch.