Patching your Oracle database – Critical Patch Update (CPU) or Patch Set Update (PSU)?
Keeping your Oracle database software up to date is a critical and time-consuming task for DBAs. For many years now, Oracle has been releasing Critical Patch Updates on a quarterly basis. These patches, as the name implies, contain critical updates to the software, often released in response to a newly found security vulnerability. More recently, Oracle has also been releasing Patch Set Updates on a quarterly basis. These also contain important fixes to the Oracle software. However, there is confusion about the difference between the two and more importantly, confusion about which one needs to be applied. So whats the difference and which one should you apply?
According to Oracle Support article ID 1446582.1: Frequently Asked Questions (FAQ) Patching Oracle Database Server:
“A PSU is a collection of proactive, stabilizing cumulative patches for a particular product version (base release or patch set). PSUs are cumulative and include all of the security fixes from CPU patches, plus additional fixes. Critical Patch Updates are the primary means of releasing security fixes for Oracle products. CPUs are cumulative with respect to prior CPUs and generally contain only security fixes.”
So, there you have it. CPUs are smaller and more focused than PSU and mostly deal with security issues. PSUs contain bug fixes AND they contain the security fixes from the CPU. When you download a PSU, it will tell you which CPU it contains. PSUs are on the same quarterly schedule as the Critical Patch Updates (CPU), specifically the Tuesday closest to the 17th of January, April, July, and October. One thing to keep in mind, however, is that once a PSU has been installed, the recommended way to get future security content is to apply subsequent PSUs. Reverting from PSU back to CPU, while possible, would require significant effort and so is not advised. So with this in mind, why would someone choose to apply a CPU rather than a PSU? I suppose for folks who are concerned only with security fixes and not functionality fixes, a CPU-only approach may be best. It does seem to be the more conservative approach as a CPU is (in theory) less like to cause trouble than a PSU, simply because it has less code changes in it.
My personal preference is to apply PSUs and not worry about CPUS.
If you would like to be notified when Oracle releases Security Alerts, you can sign up on the Oracle Technology Network website at http://www.oracle.com/technetwork/topics/security/securityemail-090378.html. You will need to have an account and then you can subscribe to Oracle Security Alerts