Oracle will begin issuing security patches for its software on a quarterly basis beginning in January.
The updates are scheduled for release via MetaLink, Oracle’s support web site, on Jan. 18, April 12, July 12, and Oct. 18.
In a conference call Thursday, Oracle CSO Mary Ann Davidson said the quarterly schedule was chosen after talking with customers over the past year about moving to a regular scheduled delivery of patches.
“We found customers would generally prefer to get something on a schedule they can plan around rather than getting notice on a Monday and having to drop things and patch under duress,” she said.
Customers did not want patches on a monthly basis, Davidson said. Microsoft moved to a monthly patch release a year ago.
Quarterly releases seemed to be the “sweet spot,” that does not expose customers by waiting too long for a patch but does not overwhelm them, she said. “If you issue them too frequently, customers have a melt down to where they can’t keep up with them.”
The patches will address vulnerabilities in Oracle Database, as well a the vendor’s application server, e-business suite, enteprise manager, and collaboration suite products. They also will include non-security fixes and be cumulative.
Oracle, may on occassion, issue a security patch outside of the quarterly schedule if the circumstances warrant it, Davidson said.
The schedule was designed to avoid common times when companies will not update their systems, such as end of quarter when they are closing their books, she added.