If security is a process, Oracle's users have checked out of the process completely. As CNET's Dawn Kawamoto reports, two-thirds of Oracle users report that they have never installed an Oracle Critical Patch Update (CPU). That's "never" as in "not ever."
The data comes from a survey of Oracle database administrators, consultants, and developers by Sentrigo. It's shocking.
Perhaps it's also a testament to the robust security of Oracle's products. Let's assume that the respondents to this survey are representative of Oracle users generally. With 66% of Oracle's databases essentially unprotected and yet rarely compromised, that says something about their quality.
Or maybe it just means that database hackers are lazy. :-)
More seriously, I wonder why enterprises don't deploy the patches. Are they difficult to implement? Are they not explained well such that database administrators don't know why they should use them?
I don't know, but it would be fascinating to find out. It would also be interesting to know what percentage of MySQL users regularly patch their systems.