It’s patching time again. The January 2018 Database RU and RUR got released. And of course other patch bundles as well. And of course not only for the database but for many other products as well. I try to summarize below the most important information and links.
January 2018 Database RU and RUR got released
First of all always have a look at the Critical Patch Alert and the Risk Matrix:
Then you’ll see that there are three fixes included for vulnerabilities which may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Afterwards please download the patches via this note:
- MOS Note 2325393.1
Critical Patch Update (CPU) Program January 2018 Patch Availability Document (PAD))
Section 3.1.4.1 has the download links for the database releases 12.2.0.1, 12.1.0.2 and 11.2.0.4.
Update (RU) and Revision (RUR) nomenclature
A quick explanation as this – IMHO – is not obvious to everybody at first sight.
In section 3.1.4.2 ofย MOS Note 2325393.1 you’ll find the following patches (and of course others):
- Database Jan 2018 RU 12.2.0.1.180116 Patch 27105253 for UNIX, or
- Database Jul 2017 RUR 12.2.0.1.180116 Patch 27013506, or
- Database Oct 2017 RUR 12.2.0.1.180116 Patch 27013510
This means:
- January 2018 Upgrade (RU)
Database Jan 2018 RU 12.2.0.1.180116 Patch 27105253 for UNIX
It is the fresh new Update (RU) from January 2018.
This is the one you should install.
. - January 2018 Revision (RUR) based on the July 2017 Update (RU)
Database Jul 2017 RUR 12.2.0.1.180116 Patch 27013506
In addition to the January 2018 Update, Revision 2 for the July 2017 Update (RU) is available. It contains the security fixes from October 2017 and January 2018 but misses the additional fixes from October 2017’s Update and January 2018’s Update. Keep in mind that there won’t be another Revision on top of the July 2017 Update.t
. - January 2018 Revision (RUR) based on the October 2017 Update (RU)
Database Oct 2017 RUR 12.2.0.1.180116 Patch 27013510
And finally this is the Revision 1 (RUR1) for the October 2017 Update (RU). It does contain the security fixes from January 2018 but for instance no new optimizer fixes (which are turned off if they change behavior anyways).
I think the order in the document is a bit misleading, having the Update first, then Revision 2 and then Revision 1.
Hope this helps a bit ๐
In addition you may read on about how to apply an Update (RU) to Oracle Database 12.2.0.1:
–Mike
Hey Mike, thanks for your article, it is helpful as always.
Just a small typo: In part “January 2018 Revision (RUR) based on the October 2017 Update (RU)” I think you mean “RUR1” and not “RU1” as you write it.
Thanks!
THANK YOU!!!!!
๐
Cheers,
Mike
Hello Mike, according to http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html, am I to understand that the January CPU includes NO fixes for Oracle database 12cR2? “Affected versions” says “11.2.0.4, 12.1.0.2”.
Frank,
you have accessed the Jan 2017 (!!) document ๐
We have 2018 already. 12.2 was not available at this time – that’s why 12.2 is not mentioned.
Please see here:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Cheers,
Mike
Sorry Mike. I clicked on the https://blogs.oracle.com/security/ link that’s in the “Oracle Critical Patch Update for January 2018” e-mail we received yesterday from Oracle Security Alerts . It points to http://app.response.oracle-mail.com/e/er?elq_mid=98964&sh=21092613162322091312132412060907293412332734&cmid=SPPT160711P00036&s=1973398186&lid=77309&elqTrackId=9cb712be92a64266bdd1d29d6c62bdce&elq=6aba5b286b9e418998caa2e93946132f&elqaid=98964&elqat=1
I should have looked closed at that page — my bad.
Thanks Frank ๐
And sorry for the inconvenience ๐
Cheers,
Mike
Hi Mike,
good information – thanks for this. We are running a different set to be on the latest quarterly patchset.
11.2.0.4 + 12.1.0.2 (over 90% of our databases) – PSU plus required on off patches
12.2 RU
For the RU we do not the a problem as for the RUR’s but for the PSU’s we are seeing the same damed issue each quarter. There is a proper documentation what patches needed on top of PSU but the update of this documentation always need to be requested and the waiting time is high:
Things to Consider to Avoid Poor Performance or Wrong Results on 12.1.0.2 ( Doc ID 2034610.1 )
Things to Consider for 12.1.0.2 to Avoid Problems with SQL Plan Management (SPM) ( Doc ID 2035898.1 )
Things to Consider to Avoid Poor Performance or Wrong Results on 11.2.0.4 ( Doc ID 1645862.1 )
Things to Consider for 11.2.0.4 to Avoid Problems with SQL Plan Management (SPM) ( Doc ID 2034706.1 )
We learned painfully that we need the patches on top of a PSU to “survive”. Shame to MOS to not provide information on time.
Stephan,
I know that – and that’s why I recommended publicly a long while ago to use BPs instead of PSUs in 12.1.0.2. The problem in 11.2 was: BP were and are meant for Exadata only. And not for non-Exa environments.
Updates (RU) will significantly lower the number of one-offs and merge patches simply due to the fact that they contain more fixes than the PSUs did. There’s no such thing as PSUs anymore.
My overall recommendation would be:
Upgrade to 12.2.0.1 ๐ We just checked with a huge customer yesterday with 120 one-offs on top of the July 2017 PSU for 12.1.0.2. 116 of them are fixed in 12.2.0.1 (not saying that there may not be new issues but it seems to be way less likely).
Cheers,
Mike