The most important reason why you must patch your Oracle Database is security. The threats any company faces today is very different than 10 or 20 years ago. Especially with the introduction of ransomware, everyone is a target.
When I talk to database specialists, there is consensus about the importance of applying patches. Luckily, it’s rare nowadays that you have to argue with people over it. Further, I see more and more companies putting this higher on the agenda. I know patching is extra work, but you must do it. You must avoid the embarrassment and potentially devasting effect on your company, as explained by Connor McDonald.
How do you patch the Oracle Database? Release Updates are the vehicle for delivering security fixes to your Oracle Database; so far, so good. But what about the client? How often do you patch your Oracle Database clients? Do you need to patch the client?
As always, the answer is: It depends… on which clients you are using.
The Critical Patch Updates
The place to look for information about security issues is the critical patch updates (CPU). Be sure to check it every quarter when the new one comes out.
If a specific client is affected, it is listed. For example, check the CPU from January 2023. It lists a vulnerability in Oracle Data Provider for .NET.
If you look back a few more quarters, vulnerabilities in the client appears to be rare. But they do occur.
Client-Only
If you use client-only installations, you can check the Oracle Database Server Risk Matrix in the CPU. In the text, Oracle states whether the vulnerabilities affect client-only installations.
Here is an overview of the last three years showing whether the vulnerabilities affected the client-only installation.
| Release Update | Client-only affected |
|---|---|
| October 2023 | No |
| July 2023 | Yes |
| April 2023 | No |
| January 2023 | Yes |
| October 2022 | No |
| July 2022 | Yes |
| April 2022 | No |
| January 2022 | No |
| October 2021 | No |
| July 2021 | Yes |
| April 2021 | Yes |
| January 2021 | No |
To patch a client-only installation, you download the latest Release Update and apply it to the Oracle home, just like if it was the Oracle Database itself (the server).
You can use ORAdiff to find a list of included fixes.
Instant Client
For instant client, you download a new package and overwrite the existing instant client.
JDBC
To update JDBC, you download new jar files or use Maven Central Repository. On the JDBC download page, you can find a list of bugs fixed in the various releases. Here is the list for 19c.
ODP.NET
For Oracle Data Provider for .NET (ODP.NET), you can find the latest drivers on NuGet Gallery. The readme section has a list of bugs fixed since the previous version.
OCI
For OCI (Oracle Call Interface), you get the latest instant client and extract the relevant files from there.
ODAC
The Oracle Data Access Components (ODAC) package also contains other clients. You download the latest version and follow the instructions to unpack it.
Recommendation
For the database server, I strongly recommend:
- Applying patches every quarter.
- Using the latest Release Updates, although I do also understand why some people prefer to use the second latest Release Update (an N-1 approach).
For the database clients, I recommend:
- Having a structured process to evaluate the risk when the Critical Patch Update Advisories come out every quarter.
- Asses not only the security issues but also functional issues. Some drivers have a bugs fixed list. Use it to determine whether you use functionality that could benefit from the bug fixes.
- Applying patches to your clients periodically. This ensures you have a structured and well-tested process. When it becomes urgent to patch your client, it’s easy because you’ve already done it so many times.
In general, I strongly recommend:
- Fully automating the process. Automation is paramount in modern-day IT.
Databases Are Fun 