How do I know if I really need a patch?
When I asked Oracle about a specific vulnerability in the latest advisory, the answer was simply a rehash of the matrix. I wanted to understand if our particular situation is actually vulnerable since we do not use the feature in question. The support engineer said that she has been instructed by Oracle only to repeat the risk matrix. She is prohibited from telling me anything else. How do I know if I actually need this patch?
Oracle is in a precarious position with respect to revealing information about security vulnerabilities, as are other database software companies. They need to notify their clients about potential security problems and provide fixes, but they must be careful to not reveal too much information about the vulnerabilities themselves. This is, in part, to protect the client. If there was specific, detailed information widely available about security vulnerabilities, it's quite possible that those with less than honorable intentions could target more companies or organizations.
You can usually tell whether you need to apply the patch by the components affected or behavior the patch is attempting to fix. Another source of information is searching the Internet or forums for that specific patch. Other DBAs may post more information about what the patch fixes.
This was first published in August 2005