The increasing complexity of database security patches and updates will lead to higher levels of automation from
the likes of Oracle and third-party vendors, according to one industry watcher.
Noel Yuhanna, senior analyst with the Cambridge, Mass.-based Forrester Research Inc., said he believes this may happen, but when it came to Oracle's quarterly approach to patches, he still had some reservations leftover from the days when patches were released in a much more haphazard manner.
Yuhanna's critical analysis came in the wake of comments made by Mark Townsend, Oracle senior director of database product management, who spoke with SearchOracle.com regarding Oracle Database 10g Release 2 earlier this month.
At issue was Oracle's recently unveiled quarterly patch release schedule, which the company launched in January to combat what many analysts and users describe as a disorganized release schedule for critical security flaws.
At the time, Oracle's chief security officer Mary Ann Davidson said under the quarterly release schedule, organizations could plan configuration management rather than be surprised by unscheduled patch alerts.
"This allows them to have a schedule they can plan maintenance around," Davidson said. "They can apply various patches as needed to critical components."
Townsend reiterated the point that quarterly patches were serving customers well and that there were negligible complaints regarding downtime or release schedules due to Oracle's "rolling upgrade" model, but Yuhanna countered that users were still uneasy.
"I think taking critical apps out of production to apply quarterly patches has become a concern for many," Yuhanna said. "While Oracle does have rolling upgrades to support server/hardware upgrades, it still requires downtime for database-level upgrades."
Yuhanna also said he believes that the upgrades and patches from Oracle -- and the entire industry -- are becoming more challenging as versions become bigger and more complex. While complexity might daunt some, Yuhanna said this is where Oracle could shine.
"I think over the next three to four years, we are likely to see some vendors offering highly automated upgrades and patch deployments that will require minimal efforts and no outages -- and it's possible that Oracle will be the first to reach to that goal," Yuhanna said.
Yuhanna echoed the thoughts of Davidson, who said in late 2004 -- on the verge of launching the quarterly schedule -- that a more manageable system of patch updates would address the bigger, more complex patch sets and their longer period of testing.
Oracle Database 10g is a very reliable system, Yuhanna said, especially on Unix-type systems such as Sun Microsystems' Solaris, HP-UX and Red Hat's flavor of Linux.
He added that if Database 10g Release 2 addresses some lingering concerns about release schedules and patch updates, Oracle could quickly reach the goal of highly automated patch management with minimal downtime.