Applications

 View Only
Expand all | Collapse all

EBS Patching Frequency

  • 1.  EBS Patching Frequency

    Posted 09-23-2021 07:31 PM
    Edited by Raja Kaparthi 09-24-2021 12:52 AM

    Dear Members,
    We are currently patching our Oracle EBS environments around twice per year. We are experiencing challenges meeting our N-1 patching policy for Oracle. We sometimes complete the DB (Database) patching (PSU) but struggle to patch our Oracle Applications (CPU). We are able to apply DB PSU, but when applying EBS CPU we face issues. Some functionality is not working which takes additional time to troubleshoot. This makes it difficult to keep up with the N-1 policy which should cover the previous Quarters patch. The post-patch issues require us to either roll back or continue working with Oracle to get the previous release to work properly. This puts us at N-2 or N-3.  

    I have the following questions.

    • What is the industry recommendation for Oracle patching of PSU and CPU?  Is it N-1 or N-2?
    • How often other Oracle EBS customers are patching the DB (PSU) and App (CPU)? What is their policy? Is it N-1, N-2, or N-3
    • What is Oracle's PSU & CPU patching recommendation
    • Do you see any issues if the instance is not patched for 6 to 9 months?
    Thanks

     

    Can you give insight to large manufacturing businesses patching large, complex ERP Business Systems?



    ------------------------------
    Raja Kaparthi
    ------------------------------


  • 2.  RE: EBS Patching Frequency

    Oracle Ace
    Posted 09-24-2021 07:51 AM
    Good morning Raja, what release of Oracle EBS are you currently running? This may help the OATUG community respond with recommendations as you'll have more options with 12.2 than 12.1.3...

    ------------------------------
    Bill Dunham
    Principal
    OATC, Inc.
    Charlotte NC
    (844) 879-6282 x701
    ------------------------------



  • 3.  RE: EBS Patching Frequency

    Posted 09-24-2021 12:57 PM
    Hello Bill,
    Thanks for your response. We have EBS 12.2.5 with 11.2.0.4 (DB) & 12.2.4 and 12c DB

    Thanks, Bill
    Raja

    ------------------------------
    Raja Kaparthi
    Emerson Electric Co.
    Saint Louis MO
    (314) 553-1171
    ------------------------------



  • 4.  RE: EBS Patching Frequency

    OATUG Star Partner
    Posted 09-24-2021 08:54 AM
    Hi,
    Please tell us what version of EBS you are discussing.  What platform are you on?  What database version are you on?


    ------------------------------
    Linda Stewart
    Manager/Architect
    Performance Architects, Inc.
    linda.stewart@performancearchitects.com
    ------------------------------



  • 5.  RE: EBS Patching Frequency

    Posted 09-24-2021 01:08 PM
    Hello Linda,
    Thanks for your response. We are on  EBS 12.2.5 with 11.2.0.4 (DB) & 12.2.4 and 12c DB. Both of them are running on Linux 

    Thanks, Linda
    Raja

    ------------------------------
    Raja Kaparthi
    Emerson Electric Co.
    Saint Louis MO
    (314) 553-1171
    ------------------------------



  • 6.  RE: EBS Patching Frequency

    Posted 09-24-2021 10:09 AM
    Raja,
    Regardless of version, the quarterly CPU patches are recommended for both the Database and the Application.  For the Application there are typically 2 parts, the tech stack patches and the application tier patches.  Both are important as they resolve security issues identified previously. 

    At our site, we apply the database and tech stack patches as soon as we can, starting with development and going through production.  That is usually completed within the first month as we rarely have issues with those patches.  We also do testing of our most problematic and visible areas at this time. 

    We take a little more time with the application tier as we have additional layers of security that take care of some of the application security issues.  But typically we get everything into production prior to the delivery of the next CPU patch.

    As for issues with not patching on the recommended quarterly cycle, I would say it depends on other security measures deployed and what is being delivered in the CPU patches.  If the CPU patch is delivering zero-day, critical or high impact security fixes, you would want to apply that as soon as possible.  If your system is not externally available there are fewer risks.  But if you have a significant insider threat risk, more frequent patching is preferable.  All in all, you have to balance your organizations need for security with your ability to apply patches in a timely manner.

    I am curious as to the nature of your system.  In addition to the version of the applications, how much customization have you done and has this customization been done using Oracle's recommended methods?  What is the nature of the errors you are getting?

    Tom Mullen

    ------------------------------
    Thomas Mullen
    Solutions Architect
    Sandia National Laboratories
    Albuquerque NM
    (505) 263-4507
    ------------------------------



  • 7.  RE: EBS Patching Frequency

    Posted 09-24-2021 01:17 PM
    Thanks, Thomas. Some EBS instances are heavily customized using Oracle recommended methods. There is no particular error. Earlier we were 2 plus yrs behind the CPUs. Gradually we were able to reduce the gap but still not able to stay on N-1 which is our security policy. I am trying to find out how other companies are dealing with EBS CPU patching and what is their patch policy. May I also ask what other security controls you have implemented or used to secure the EBS and database instances? 

    Raja

    ------------------------------
    Raja Kaparthi
    Emerson Electric Co.
    Saint Louis MO
    (314) 553-1171
    ------------------------------



  • 8.  RE: EBS Patching Frequency

    Posted 09-24-2021 03:12 PM
    Raja,

    Unfortunately, given the nature of our work, I am unable to discuss the details of our security in this forum.  At a high level, we have many firewall rules, a  network scanning tool that identifies servers with potential security issues, and portions of our system are unavailable to the internet. 

    We do not meet the N-1 for the application patches but rarely have issues with the tech stack and database so we usually meet the N-1 requirement for that.  We are fortunate to have a team big enough to do that.

    Tom

    ------------------------------
    Thomas Mullen
    Solutions Architect
    Sandia National Laboratories
    Albuquerque NM
    (505) 263-4507
    ------------------------------



  • 9.  RE: EBS Patching Frequency

    Posted 09-24-2021 11:39 AM
    We tend to do the database as N-1 and the application as needed.  We have encountered the same issues in the past where the application patches break something (often many things) then we spend 6 months trying to fix it.  So for the most part, we only patch as we encounter an issue which requires a patch, such as new functionality we want to use or new regulatory requirements, so we can do a focused testing of the patch.  Our accounting and development teams just do not have the bandwidth to thoroughly test a full application patch.

    ------------------------------
    Mike Peddycord
    Oracle DBA
    Western Area Power Administration
    Lakewood CO

    ------------------------------



  • 10.  RE: EBS Patching Frequency

    Posted 09-24-2021 12:51 PM
    Thanks, Mike for the response. How are you handling the EBS vulnerabilities? In most cases, the latest CPU patch is the solution. 
    if I may ask, what is the size of your EBS environment? it seems like you do not have any EBS patch policy, or do you have one?

    ------------------------------
    Raja Kaparthi
    Emerson Electric Co.
    Saint Louis MO
    (314) 553-1171
    ------------------------------



  • 11.  RE: EBS Patching Frequency

    OATUG Star Partner
    Posted 09-25-2021 08:03 AM
    Hi Raja,
    I think the organization needs to consider moving to 12.2.9 relatively soon.  When July 30, 2022 arrives, Oracle expects us to be on database version 19c.  I understand if we do not move, the support fees for extended support will be significant which means you need to update the apps tier.  Also, being on 12.2.5 of the application, if issues arise, Oracle will tell you that the app is too old and request a major version update before responding to questions.  I just had this happen when reporting slowness in the OA Framework for 12.2.6.  I have just upgraded to 12.1.0.2 latest patches for the database and moved the app to 12.2.10.  For the customizations, you should already have regression test plans for after the CPUs are applied.   After this, the policy is to apply the quarterly patches in dev, two weeks after they are released.  We really do need to be this on top of patching due to the times we live in.  There are so many breaches publicized these days and we do not want that on our resume.  Plus, 12.2.10 has some very nice updates, including fixes to OA Framework slowness.

    And thanks to OATC for the great presentations at Ascend 2021.  Made the whole process seem not that bad!

    ------------------------------
    Linda Stewart
    Manager/Architect
    Performance Architects, Inc.
    Boston MA
    (334) 435-1400
    ------------------------------