Oracle Shifts to Monthly Patching Cycle to Combat AI-Powered Cyber Threats

Breaking: Oracle Accelerates Patch Schedule

Oracle today announced it will issue security patches for its ERP, database, and other software on a monthly basis, replacing the previous quarterly cycle. The move comes in direct response to the accelerating pace of AI-enabled vulnerability discovery.

“The new monthly Critical Security Patch Updates provide targeted fixes for critical vulnerabilities in a smaller, more focused format,” Oracle said in a statement. “Customers can now address high-priority issues without waiting three months.” The first monthly patch will land on May 28, a Thursday, followed by releases on the third Tuesday of each month beginning June 16.

Off-Beat Timing

Unlike Microsoft, SAP, and Adobe—which all patch on the second Tuesday—Oracle will lag by one week. This off-beat approach aims to give customers breathing room after competing updates. The next three monthly patches are scheduled for June 16, July 21, and August 18.

Oracle will continue issuing a cumulative Critical Patch Update each quarter, starting with the one already delivered in January. The quarterly update will bundle all monthly fixes for customers who prefer a single install.

AI at the Center

Oracle is leveraging artificial intelligence to identify and fix vulnerabilities faster. Through OpenAI’s Trusted Access for Cyber program, Oracle uses the latest GPT models, and also has access to Anthropic’s Claude Mythos Preview. “Mythos has contributed greatly to concerns that AI will uncover thousands of zero-day flaws,” said cybersecurity analyst Jane Mitchell, CEO of VulnWatch. “But as of mid-April, only one vulnerability report had been directly tied to it.”

The company’s AI-driven approach aims to stay ahead of malicious actors who are also using generative AI to find software weaknesses. Oracle’s internal AI systems scan code for potential flaws before they can be exploited.

Background: From Quarterly to Monthly

Oracle had maintained a quarterly patch rhythm for decades, releasing Critical Patch Updates in January, April, July, and October. Other major enterprise software vendors, including Microsoft, SAP, and Adobe, moved to monthly cycles years ago. Oracle’s shift brings it in line with industry practice, but with a deliberate delay to avoid conflicts.

The first monthly patch on May 28 will be followed by a full schedule published on Oracle’s security portal. The company initially hinted at the change last week but withheld specific dates until now.

What This Means for Customers

For organizations running Oracle applications on premises or in third-party hosting environments, the monthly cadence reduces the window of exposure to critical vulnerabilities. Previously, a zero-day discovered early in a quarter could remain unpatched for up to three months. Now, the maximum wait shrinks to one month.

“This is a significant improvement for risk managers who need faster remediation cycles,” said Mitchell. “But the new schedule also demands more frequent testing cycles from IT teams.” Customers using Oracle-managed cloud services need not worry: patches are applied automatically.

The change also signals a broader industry recognition that AI is accelerating the vulnerability discovery race. “Attackers and defenders now operate on the same AI-enabled timeline,” Mitchell added. “Monthly patches may soon become the norm across all major software vendors.”

Next Steps for Enterprises

Oracle recommends customers review the upcoming schedule and plan internal maintenance windows accordingly. The company has published a detailed calendar on its support portal. Enterprises running Oracle E-Business Suite, PeopleSoft, or JD Edwards should prioritize testing the first monthly CSPU.

Oracle also advises enabling automatic update notifications to avoid missing the new patches. For customers concerned about AI-driven exploits, Oracle offers additional threat intelligence feeds and vulnerability scanning tools integrated with its cloud security operations.