Skip links

Oracle Critical Patch Update Program, SAP security note 850306


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
This note is issued as a Hot News. Check the note regularly for updates. Otherwise, you will not be aware of important changes regarding prerequisites, consequences and solutions. A new Hot News is not issued if a note is updated.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

General notes for Oracle Critical Patch Updates (CPU)

New as of May 2010: As of the patch day on May 10, 2010, explicit CPU patches will no longer be provided for UNIX platforms. The CPU patches will be contained in a Patch Set Update (PSU) in future. The PSUs will be available every four months, similar to the CPUs.
PSUs will be available in an SAP Bundle Patch (SBP).

New as of 2005: Since 2005, Oracle has provided Critical Patch Updates (CPU) for all product lines on a quarterly basis. The extensive patches contain corrections for significant security problems. You (as the customer) must install these patches unless they collide with another patch that SAP considers to be a mandatory requirement.

New as of Release As of Release, the procedure for setting up CPUs has changed fundamentally. Oracle is changing the CPU patch procedure to “n-apply”. This means that the CPU patch now contains only pure security patches, and no longer contains functional patches. If a conflict occurs when you apply the CPU patch, Oracle Support provides a merge patch for the patch that causes the conflict. However, since only security patches are contained in the CPU patch, patch conflicts are much less likely to occur.

As of Oracle Version, CPU patches no longer consist of one single large merge patch (which was the case for earlier versions), but they consist of several “patch molecules” that are independent of each other. In principle, a patch molecule is like a single patch and can either be installed completely or not at all. If there is a conflict between a patch that was already installed and a patch molecule that is contained in the CPU, the DBA can either decide not to install the CPU at all, or to install at least those patch molecules that do not cause a conflict. The patch molecules that cause the conflict will be installed at a later time when the merge patch is available.

The advantage of this new procedure is that patch conflicts are less likely to occur. If a patch conflict still occurs, this does not prevent the entire CPU from being installed. Instead, it only prevents the affected patch molecule from being installed. However, due to technical problems, the system may not be able to perform a merge. In this situation, as before, the customer must decide whether to apply the CPU patch or the functional patch that was already recommended.

We do not support the installation of CPU patches using MOPatch (Note 1027012).

Available fix and Supported packages

Affected component



Score: 0


Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.




How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies