The Oracle Critical Patch Update (CPU) is an ongoing series of regularly issued fixes for security flaws in products made by or maintained by software giant Oracle Corp.
Started in 2005, the Oracle CPU is released quarterly on the Tuesday closest to the 17th day of the months of January, April, July and October. It is only available to Oracle customers with valid support contracts. CPU patches are cumulative, but release notes only explain the fixes added since the previous CPU release.
Each Oracle customer receives the same CPU regardless of which products it uses.
Pre-release announcements are published the Thursday before each CPU release. For security fixes considered too critical to wait for the next CPU, Oracle releases out-of-band bulletins called Security Alerts.
An analysis of the security vulnerabilities addressed in Oracle's CPUs and Security Alerts typically accompanies the patch releases. This analysis includes information such as the type of vulnerability, the necessary conditions for exploiting the vulnerability and the potential result of a successful exploit.
Oracle has long been criticized for its CPU process, with some saying the software vendor delays patch releases, offers confusing information about its patches and fails to thoroughly fix flaws.