Oracle's big critical patch update on Jan. 17 set a record for the fewest fixes for database products--only two of the 78 total fixes in the CPU.

That number excludes MySQL updates, which Ericka Chickowski of Dark Reading notes are primarily handled by the open-source community.

Alex Rothacker, director of security research for Application Security's TeamSHATTER, said the database products are not less vulnerable, but that Oracle (NASDAQ: ORCL) has "thrown in the towel on fixing database vulnerabilities," according to Computerworld.

Rothacker said that since a lot of Oracle customers neglect to implement fixes in their databases, it takes the pressure off of Oracle to take the vulnerabilities seriously.

Wolfgang Kandek, chief technology officer at Qualys, agreed. "The rollout schedule is a reflection of how much users actually pay attention to those things," Dark Reading quoted him as saying.

In an October blog post, Oracle offered a different explanation for the ongoing decline in database patches. Eric Maurice, the company's software security assurance director, said that the Oracle Database Server code base has matured enough that vulnerabilities are less common.

But Rothacker, in response, would not accept that explanation. "We're reporting the same amount [of bugs] to them, but they're fixing fewer," he said.

For more:
- see this Dark Reading article
- see this Computerworld article
- see Oracle's blog post

Related Articles:
Oracle buys enterprise search vendor Endeca
What's behind the Oracle, Salesforce war of words
Oracle upgrades MySQL with new installer, Windows Clustering