Oracle: Which updates to install
In my IT carreer, I often come to new customers I didn't know before. So I don't know their infrastructure.
As I'm a DBA, I'm not interested in application servers (besides telling the customer that Operating Systems and standard applications should always be kept up to date), and I'm also not interested very much in network (as I don't know very much of it - I just wish it works).
But I'm interested in database servers as well as other servers that handle applications like Oracle Enterprise Manager Cloud Control.
So, what has to be updated?
Operating System
The operating system should always be kept up to date. But keep in mind, that after a kernel update, a reboot is required. And also keep an eye on the certification matrix to be sure that the combination of your Oracle products are certified to run on your operation system.
OPatch
OPatch is the tool that updates GI as well as DB homes. You should always download the latest one that fits your GI or DB major release. Then it can be unpacked in each Oracle Home.
As of now (January 2025), the version for 12.2 and 19c databases is 12.2.0.1.45.
Grid Infrastructure
RU
The most relevant patch for GI is the RU (Release Update). It brings the latest patches bundled so it can be installed using one command.
The easiest way to install the GI RU is opatchauto. You need the root user for it:
# cd <RU folder>
# $ORACLE_HOME/OPatch/opatchauto applyIt stops GI and applies the RU to
- the GI itself
- all database homes having the same major release
After opatchauto succeeded, it starts GI and DBs again and also executes datapatch for all relevant databases.
OJVM
I'm not sure why this patch should be needed with GI, maybe because with earlier releases GI came with a Management Database. But it's installable, so there shouldn't be a big risk to do that. It can be installed online like that:
# cd <OJVM folder>
# $ORACLE_HOME/OPatch/opatch apply -silentI use the -silent switch so that the patching process does not ask me if I'm really sure if I want to patch...
JDK
The Java Development kit is used for a big range of tools. And as Java is widely used all over the world, it should be kept up to date. Especially when your system is regularly scanned for software known to have security leaks.
GI also uses JDK for some reason. So just patch it - it can be done while GI is running:
# cd <JDK folder>
# $ORACLE_HOME/OPatch/opatch apply -silentDatabase
RU
It the database software wasn't patched using opatchauto, it can be pathed manually:
# cd <RU folder>
# $ORACLE_HOME/OPatch/opatch apply -silentAll resources running from this home have to be stopped.
OJVM
Oracle Java Virtual Machine is needed when you want to use Java from inside the database.
Mostly, I don't know if the customer uses that. And the customer also doesn't know - either because the application using the database is closed source, or documentation is bad, or all of them.
So it's easier to just patch OJVM than to find out if it's needed:
# cd <OJVM folder>
# $ORACLE_HOME/OPatch/opatch apply -silentBe sure to have all the components stopped running from this homeö.
JDK
The Oracle database also uses JDK for some reason. So just patch it - it can be done while databases are running:
# cd <JDK folder>
# $ORACLE_HOME/OPatch/opatch apply -silentEnterprise Manager Cloud Control
RU
Oracle Enterprise Manager Cloud Control also gets Release Updates. They can be installed using 2 different ways:
Apply
The old way to install the RU:
# cd <RU folder>
# $OMS_HOME/OMSPatcher/omspatcher applyDeploy
The new way, which clones the OMS home and applies patches to it before the downtime. Because of that, the downtime is reduced to a minimum:
# cd <RU folder>
# $OMS_HOME/OMSPatcher/omspatcher deployHolistic Patch
Holistic patches not only patch the OMS part of Cloud Control, but also the basics, like JDK, WLS, and so on. Applying it is a bit different:
# cd <holistic patch folder>
# $OMS_HOME/OMSPatcher/omspatcher apply -spb_patchJDK patch should not be patched after that.
Cloud Control Agent
RU
After Cloud Control is patched to a newer RU, all the agents should also be patched. There are 3 ways to do that:
Manually
This is the easiest way, but quite uncomfortable when there are many agents:
# cd <Agent RU folder>
# $AGENT_HOME/AgentPatcher/agentpatcher applyPatching using Cloud Control patching
You can use Provisioning and Patching and create a plan to patch one or many agents.
Pathing using Gold Image
Using this way, one agent is patches manually:
# cd <Agent RU folder>
# $AGENT_HOME/AgentPatcher/agentpatcher applyAfter that, all agents which are subscribed to that can now be autmatically patched.
JDK
As the agent also has it's own JDK, this should also be patched:
# cd <JDK folder>
# $ORACLE_HOME/OPatch/opatch apply -silentTFA/AHF
"Oracle Autonomous Health Framework (AHF) presents the next generation of tools as components, which work together autonomously, 24/7, to keep database systems healthy and functional while minimizing human reaction time. Utilizing machine learning technologies, Oracle AHF provides early warning or automatically solves operational runtime issues faced by Database and System administrators in the areas of availability and performance."
AHF should be installed as root user. It can be patches manually:
# ./ahf_setupIt can be also autmatically updated by setting that:
# ahfctl setupdate -all
Enter autoupdate flag <on/off> : on
Enter software stage location : /scratch/ahf_stage
Enter auto update frequency : 30
AHF autoupdate parameters successfully updated
Successfully synced AHF configuration