Managing Patches

Database patches are cumulative for all previous Critical Patch Updates
– Database patches include non-security fixes
– Windows patches are really version upgrades

Database patches provide the greatest security benefit –Apply them ASAP
– Apply database patches now, other patches later
– Otherwise, enable Listener Invited Nodes feature

Common CPU Patching Mistakes
1. CPU Forgotten Steps
2. Database Upgrades
3. ORACLE_HOME vs. Database
4. ORACLE_HOME and New Database

#1 CPU Forgotten Steps
CPU is two parts:
1.OPatch to update files in the ORACLE_HOME
2.catcpu.sql to update database objects

Some CPUs require additional manual steps, for example to recompile SYS objects.

#2 Database Upgrades
– Latest CPU patch is applied (January 2009)
– Upgrade database to new version or patchset ( to
- Do I have to reapply the latest CPU after the database upgrade?
Yes!!!, you must apply January 2009 patch

Database Upgrades and CPU Patches

Database Version Upgrade Patch Latest CPU Patch Included In Upgrade Patch July 2006 October 2005 October 2006 April 2008 October 2007 January 2009

#3 ORACLE_HOME vs. Database
– Latest CPU patch is applied (January 2009) to ORACLE_HOME
– Install a new database from the patched ORACLE_HOME
- Do I have to run the catcpu.sqlfrom the January 2009 CPU?
Yes!!!, since some of the SQL statements in the catcpu.sql do not exist as files in the Oracle Home
Remembet that catcpu.sql does perform some drops and grants

#4 ORACLE_HOME and New Database
– Latest CPU patch is applied (January 2009) to ORACLE_HOME
– Install a new database from the patched ORACLE_HOME using DBCA and a seeded database
- Do I have to run the catcpu.sqlfrom the January 2009 CPU?
Yes !!!!, since the seeded database files are pre‐loaded with packages and none of the vulnerable packages would be updated without running catcpu.sql

What is OPatch?

OPatch is an Oracle supplied utility to assist you with the process of applying interim patches to Oracle's software. OPatch is a Java-based utility which requires the Oracle Universal Installer to be installed. It is platform independent and runs on all supported operating systems. OPatch supports the following:

Prior to release 10.2 (OPatch for 10.2 is only compatible with 10.2 and nothing earlier), OPatch was available from MetaLink as a patch in and of itself ( for release With 10.2, OPatch is installed as part of the RDBMS software.

Important Note
If Opatch is installed, please remember to set your Oracle Home Directory:
C:\app\product\11.2.0\dbhome_1\OPatch>  set ORACLE_HOME=C:\app\product\11.2.0\dbhome_1

And also to add the Opatch Directory to your path:
set PATH=C:\app\product\11.2.0\dbhome_1\OPatch;%PATH%

Then you can see what is installed with:
C:\app\product\11.2.0\dbhome_1\OPatch>  cd OPatch
C:\app\product\11.2.0\dbhome_1\OPatch>  opatch version
Invoking OPatch
OPatch Version:


C:\app\product\11.2.0\dbhome_1\OPatch>  opatch lsinventory
Invoking OPatch
Oracle Interim Patch Installer version
Copyright (c) 2009, Oracle Corporation.  All rights reserved.

Oracle Home       : C:\app\product\11.2.0\dbhome_1
Central Inventory : C:\Program Files\Oracle\Inventory
   from           : n/a
OPatch version    :
OUI version       :
OUI location      : C:\app\product\11.2.0\dbhome_1\oui
Log file location : C:\app\product\11.2.0\dbhome_1\cfgtoollogs\opatch\opatch2012-08-27_14-21-49PM.log
Patch history file: C:\app\product\11.2.0\dbhome_1\cfgtoollogs\opatch\opatch_history.txt
Lsinventory Output file location : C:\app\product\11.2.0\dbhome_1\cfgtoollogs\opatch\lsinv\lsinventory2012-08-27_14-21-49PM.txt

Installed Top-level Products (1):
Oracle Database 11g                                        
There are 1 products installed in this Oracle Home.
There are no Interim patches installed in this Oracle Home.

Opatch has several options to execute it:

Applying a patch is simple as:

Steps to get Opatch (probably not needed, 1 time only)
From a command prompt:
    ftp (metalink username and password)
    ftp> bin
        ## For 9i R2(9.2.x) and 10GR1(10.1.x)
    ftp> cd /2617419
    ftp> get
    ftp> quit
        ## For 10GR2(10.2.x) ftp> cd /4898608
    ftp> cd
    ftp> quit

Opatch Installation (probably not needed, 1 time only)
## For 9i R2(9.2.x) and 10GR1(10.1.x)
Then upload or move the to ORACLE_HOME and uncompress it. Example:
    % mv $ORACLE_HOME
    % cd $ORACLE_HOME
    % unzip
% cd OPatch
% opatch version
PERL5LIB=/oracle/V920/Apache/perl/lib/5.00503:./perl_modules; export PERL5LIB
/oracle/V920/Apache/perl/bin/perl ./ version
./ version:

## For 10GR2(10.2.x)
% unzip
% cd OPatch
% opatch version
Invoking OPatch
OPatch Version:

Finally, you can set the Opatch directory in your PATH variable so you can execute the opatchcommand from anywhere. Example:
For Korn / Bourne shell
% export PATH=$PATH:$ORACLE_HOME/Opatch

For C Shell
% setenv PATH $PATH:$ORACLE_HOME/Opatch

Opatch Post-installation (post-deinstallation) steps (probably not needed, 1 time only)

Don't forget to check the readme file for post-installation/deinstallation steps. In general, the post-installation steps require running of the catcpu.sql script, followed by using the utlprp.sql script used to recompile invalid objects. Is that SQL script named utlrp or utlprp? In this case, the README file says utlprp, whose function is essentially the same as that of utlrp. What is the difference between the scripts? As it turns out, utlrp simply calls utlprp. The deinstallation tasks are nearly identical, with the main difference being that you use the catcpu_rollback SQL script.

For Patch 4667809, the catcpu/catcpu_rollback scripts are related to applying and unapplying changes related to the OWA toolkit (OWA = Oracle Web Agent, which uses modplsql, which uses PL/SQL to generate dynamic Web pages, and that's why you see modplsql in the patch-related files folders).

Example Applying Patch 4751921
After the Patch is Installed:
1.Log in as sys as sysdba.
2. cd $ORACLE_HOME/rdbms/admin
3. spool catpatch_database_name
4. shutdown immediate
5. startup migrate
6. @catpatch.sql   ( this takes at least 1 hour ). After catpatch completed,
7. select object_name,owner from dba_objects where ststus='INVALID';
8. @utlrp.sql object_name,owner from dba_objects where ststus='INVALID';   ( YOU WILL GET near 0 invalid objects )
10. shutdown immediate;
11. startup

Listing Patches

All patches that are installed with Oracle's OPatch Utility (Oracle's Interim Patch Installer) can be listed by invoking the opatch command with the lsinventory option. Here is an example:

$ cd $ORACLE_HOME/OPatch
$ opatch lsinventory
Invoking OPatch
Oracle interim Patch Installer version
Copyright (c) 2005, Oracle Corporation.  All rights reserved..
Installed Top-level Products (1):
Oracle Database 10g                                 
There are 1 products installed in this Oracle Home.
There are no Interim patches installed in this Oracle Home.
OPatch succeeded.

Another Method using SYS.REGISTRY$HISTORY Table
Since January 2006, contains 1 row for most recent CPU patch applied
Semi-reliable method for determining if CPU patch is applied
SELECT comments, action_time, id "PATCH_NUMBER", version
FROM sys.registry$history
WHERE action = 'CPU';

One other useful Opatch feature

Along with the log and inventory files, Opatch output includes a history file, which contains date and action performed information. The history file is named opatch_history.txt and is located in the $OH\cfgtools\opatch directory. As an example of its contents, the "rollback –help" action performed earlier was recorded as:

Date & Time : Sun Dec 18 12:00:50 MST 2005
Oracle Home : C:\oracle\product\10.2.0\db_1
OPatch Ver. :
Current Dir : C:\
Command     : rollback -help
Log File    : $OH\cfgtoollogs\opatch\opatch-<date>.log

So, as yet another way to answer the "what patches are installed" question, you can use the OPatch history file.

Here is an example of the SQL command to see the status of patches on a database:

select patch_id, patch_uid, version, status, bundle_series, description

   from dba_registry_sqlpatch;