Patch Catch For Oracle9i


Vendor requires contract for security fixes


For a company that says it is dedicated to "unbreakable" databases, Oracle has a funny way of showing it.

Unlike rivals Microsoft and IBM, Oracle makes its security patches available only to customers that have purchased support and maintenance agreements, solution providers said.

"It seems to me with all the criticism Oracle has leveled at Microsoft,that its [operating system is not as secure as it should be, that it's not enterprise savvy,that Microsoft does a better job supporting customers. And IBM has emulated a lot of what Microsoft has done [in providing free evaluation software, patches and downloads," said Chris Koontz, executive consultant with Parks and Co., an e-commerce integrator in Charlotte, N.C.

"It's arrogance on Oracle's part," Koontz said. "They're not as engaged in wanting to help the customer. Microsoft and IBM do a much better job explaining how to use their technology, how developers in corporate America can incorporate it in a solution."

The importance of the security patches for Oracle was driven home by a couple of "high-risk" vulnerabilities uncovered two weeks ago in both the Oracle9i database and application server. Oracle Chairman and CEO Larry Ellison has repeatedly touted Oracle9i as unbreakable.

Customers that purchase the Oracle9i database but opt not to pay the extra cost for maintenance are out of luck when it comes to security fixes.

The additional fees are no small matter. A customer buying a single-user license for Oracle9i Enterprise Edition off Oracle's Web site pays $800 for the software, another $120 for the update subscription service and another $56 for advanced customer support, bringing the total to $976.

By contrast, IBM and Microsoft make their security patches available for free, even to customers that do not buy maintenance plans.

Integrators say Oracle's cost structure will not fly, especially in the current climate. They maintain that important patches should be part of the software purchase price.

Mike Drips, a Kansas City-based computer consultant, concurred. "The industry practice is to provide patches free. What Oracle is doing is a way to blackmail people into paying for support," he said.

Database rivals relished the situation. "Oracle: Twice the price, half the performance of DB2, and it costs more to fix bugs in a product that was supposed to be unbreakable," said a spokesman for IBM's software group.

Stan Sorensen, director of SQL Server product management at Microsoft, said when a security issue arises with Microsoft products, "we patch it and make the patch readily available. If you bought the product, you've also purchased the patches."

The issue even raises the hackles of Oracle supporters. "This is a big deal. A huge deal," said a former executive at one of Oracle's largest partners, who requested anonymity. "[Oracle's contention is if you don't pay for the support, you don't get the patches, but their support is expensive,23 percent of the license cost."

Another large integration partner concurred. "I have never worked with another company that does not have standard support, the lowest level, [covering patches," said the Oracle partner, who also requested anonymity. "Some level of support is necessary because Oracle releases thousands of patches and bug fixes between major releases. It would be a huge risk not to have at least a minor support contract."

Oracle confirmed that it requires maintenance contracts for downloads and patches."Database software is not consumer software. It's something people use to run their enterprises. It's serious business," said Mary Ann Davidson, chief security officer at Oracle. She said 100 percent of first-time Oracle buyers purchase support contracts.

The vendor's service alert and patch Web site lists available patches, but to download them, integrators must go to the company's Metalink site, which requires the use of a "support identifier."