Oracle Shifts to Monthly Security Patches in Race Against AI-Powered Cyber Threats

Breaking News: Oracle Accelerates Patching Cycle

Oracle will issue security patches for its ERP, database, and other software on a monthly cycle starting May 28, abandoning its long-standing quarterly schedule. The move comes in response to the rising threat of AI-enabled vulnerability discovery, which has dramatically accelerated the pace of exploits.

“The new CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the next quarterly release,” an Oracle spokesperson told CSO. The company’s first monthly Critical Security Patch Update (CSPU) lands on May 28 — a Thursday — and subsequent updates will arrive on the third Tuesday of each month, starting June 16, July 21, and August 18.

Background

Other major software vendors, including Microsoft, SAP, and Adobe, already follow a monthly patching cadence, typically rolling out fixes on the second Tuesday of every month — known as Patch Tuesday. Oracle, however, is taking an off-beat approach by releasing its updates one week later, a strategy it says will help customers manage deployment without overlapping with other critical patches.

The shift was first announced last week without specific dates, and the company confirmed the new timetable earlier this week. Oracle will continue to issue a cumulative Critical Patch Update each quarter, maintaining the same schedule for those larger releases. The first quarterly update for 2025 arrived in January.

Oracle is also leveraging artificial intelligence to identify and fix vulnerabilities faster than before. The company has access to OpenAI’s latest models through the Trusted Access for Cyber program and Anthropic’s Claude Mythos Preview, which is trained to find security flaws. As of mid-April, only one vulnerability report had been directly tied to Mythos, despite widespread concerns that such AI tools could uncover thousands of zero-day flaws.

What This Means

The new patching rhythm will primarily benefit customers running Oracle applications on premises or in third-party hosting environments. For those using Oracle-managed cloud services, patches are applied automatically, so the change has less impact on them.

By moving to monthly updates, Oracle aims to close the window between vulnerability discovery and patch availability — a critical gap that AI-powered attackers could exploit. While the threat of AI-driven zero-day floods remains largely theoretical, the industry is bracing for a surge. Oracle’s proactive adoption of AI for defense, combined with its accelerated patching, signals a new standard for enterprise security.

For IT teams, this means more frequent but smaller patches that can be deployed more quickly. However, the off-beat schedule may require adjustments to existing maintenance windows. Oracle’s decision underscores the urgency of staying ahead in the AI cybersecurity arms race.