Oracle Critical Patch Update是什么?
Critical Patch Update(以下简称CPU),是Oracle在2005年开始引入的产品安全更新策略。一般来说CPU包含了Oracle产品安全漏洞的修复补丁集(set of security bug fix)。CPU最早的雏形出现在2005年,该项目致力于为客户周期性地提供累积性的补丁以修复安全漏洞。
通常CPU补丁会在每季度开始第一个月的15号发布,按照发布日期的不同可以划分为:
- January : CPU JAN
- April : CPU APR
- July : CPU JUL
- October : CPU OCT
存在以下3种类型的CPU补丁:
- Normal CPU:在10.2.0.2之前所有的CPU均是Normal CPU
- Molecular CPU:Molecular解释为分子,从10.2.0.3开始以后版本的CPU patches均以Molecular格式发布,之后我们会介绍Normal/Molecular格式的区别
- CPU Bundle Patch:由于在Windows平台无法利用替换共享库文件后relink的方式来更新Oracle binary,所以Oracle特别针对Windows发布区别于Unix上Normal/Molecular CPU的CPU Bundle patch(也因此Bundle Patch会别较大)。Windows bundle patches通常每一个季度都会发布
接下来我们通过2个实例来了解Normal CPU与Molecular CPU之间的区别。Linux x86平台上的CPUJAN2009 for 9.2.0.8的bug#补丁号为7592365。我们可以通过该补丁号从My Oracle Support上下载到压缩为zip的补丁包,试着将该压缩包解压后我们会发现该CPU补丁包的目录结构类似于一个one-off patch(一次性补丁):
$cd 7592365
$ls
/etc /files readme
之前已经介绍过了从10.2.0.3开始以后版本的CPU patches均以Molecular格式发布。我们选取Linux x86平台上的CPUAPR2009 for 10.2.0.4为Molecular CPU的示例,下载并解压该CPU后会发现补丁包目录下有不少以Patch number为名的子目录,这就是Molecular-分子式的寓意所在,其实你也可以简单地理解为是对散装的安全补丁打了包:
$cd 8290506
$ls
7155248 7155251 7155254 7375613 7609058 8309592 8309637 cpu_root.sh
7155249 7155252 7197583 7375617 8290506 8309623 8309639 patchmd.xml
7155250 7155253 7375611 7609057 8309587 8309632 8309642 README.html
以上每一个数字代表一个molecules,称作分子补丁
注意!一个molecules可能包含有多个小的fix!!
Normal CPU与Molecular CPU间的差异还表现在所包含的补丁类型上。Normal CPU也被叫做Classic CPU即传统CPU,不同于molecular CPU,Normal CPU不仅包含安全漏洞修复,针对于特定的产品、产品版本及平台还可能包含了非安全的补丁。
而Molecular CPU(在MOS上有时也被叫做New format CPU)从10.2.0.3开始改变了既往Normal CPU的习惯,Molecular CPU仅仅包含安全漏洞补丁(security bug fixes),这是目前CPU与另一种补丁更新策略Patch Set Update(PSU)间的主要区别之一(PSU在格式上类似于Normal CPU),CPU专门负责修复安全漏洞,而PSU往往会包含CPU(INCLUDES CPU)。
第一个以Molecular形式发布的是CPU是CPUJUL2007(DB-10.2.0.3-MOLECULE-013-CPUAPR2007):
此外根据Oracle Product lifetime的介绍CPU的发布遵循几个原则:
- CPU仅为最新的patchset补丁集发布
- 对于之前的patchset补丁集存在一个宽限期,在此宽限期内仍会针对老的patchset发布CPU,关于这个宽限期(grace period)在MOS文档
Grace Period: up to 1 year, minimum 3 months.
You have up to one year from the release of a patch set on the first platform (currently Linux x86) to plan for
and install the new patch set. During that year we will create new bug fixes for the previous patch set.
This grace period is effective with the release of 10.2.0.4.
For example, 10.2.0.4 was released first on Linux x86. The release date was 22 February 2008.
Until 22 February 2009 we will create new fixes for both 10.2.0.3 and 10.2.0.4.
After that date new fixes for 10.2.0.3 will cease on all platforms and we will only create new fixes for 10.2.0.4.
Grace period for current patch sets can be found on Metalink in Note 742060.1
Exceptions:
3 Month minimum grace period: Since the release of a patch set on different platforms happens over time,
not all platforms will be supported for error correction for the full year. Because of this,
we will always support the previous patch set for error correction for at least 3 months.
For example, if the initial release of patchset A.x.y.z is on January 1st on Linux x86 and the same patch set
is released on Univac on November1, Oracle will still provide new patches on Univac A.x.y.z-