Oracle's decision to release individual patches for "big and nasty" flaws in its database products has stirred controversy over how to minimise disruption while maintaining security.
Last week Oracle released six separate patches for vulnerabilities, four of them for 'critical' flaws.
But by issuing separate patches network managers face more downtime for their databases, according to Neil Barrett, technical director at Information Risk Management.
Ronan Miles, chairman of Oracle's UK User Group, said that one benefit of having separate patches would be that users need only apply those patches that "fit their circumstances".
Consequently, managers will spend less time ensuring that the patches do not cause additional problems with connected systems, he added.
Barrett conceded that there is some merit in this argument, but pointed out that, because four flaws are classified as 'critical', and the other two as 'serious', firms will need to apply them all if they want to remain secure.
The only surefire way of balancing security and systems availability is to have redundant systems that could be "hot-swapped" when applying patches, said Barrett.
Oracle defended its approach, however, and said that when serious security issues arise it is imperative to get patches out quickly.
"Where something is 'big and nasty' and there is no workaround, Oracle will do immediate, one-off patches," said Mary Ann Davidson, chief security officer at the software company.
She explained that Oracle added a regression test for each discovered security flaw which should minimise the likelihood of disruption.
In a thinly veiled attack on rival Microsoft, Davidson criticised vendors which bundle unrelated security fixes in their patches "so their bug numbers go down".
But whether companies prefer individual patches or bundles of fixes, there is still a problem in getting firms to apply them, according to Barrett.
Too many see the problems as a cost issue, whether in downtime or running redundant systems, he explained.
"There is still an issue of lack of understanding. Security needs to be a higher priority for business," said Barrett.
The patches released are for memory handling problems in Oracle's database and application server software, including its latest version, Oracle 9i release 2.
These buffer overflow flaws could allow a malicious attacker to gain complete control of the server. The patches can be downloaded here.
Yeah, sorry about all that, simpers Zuckerberg
Vivaldi promotes DuckDuckGo search engine over Google over privacy concerns
Scientists say that strontium titanate could transform electronics
The wheels of justice grind surprisingly slowly