One thing I forgot to mention the other day in my post
July 2008 Critical Patch Update is out - a remote un-authenticated exploit revealed is that one of the major changes you will notice with this CPU is that Oracle have started to identify each vulnerability with a CVE-ID number. The reason Oracle can do this is because they have become a
candidate naming authority and are now allowed to issue unique numbers for each vulnerability. Whilst as Eric Maurice points out in his post
July 2008 Critical Patch Update Released Oracle's own advisory is the primary source for details of Oracle vulnerabilities this change will certainly allow all other sources to report further details about vulnerabilities with consistency that can be tracked back to Oracles own advisory.
This is a good step in my opinion and should allow some emphasis of consistency. Duncan has told me that this change was made due to customer feedback and took quite some efforts to set up. I think we should acknowledge that Oracle do listen to customer feedback on CPU's and do want to make the whole process better for customers if they can. I am talking to customers of mine about this to get opinions, I already had a chat on Wednesday with one person who welcomed the changes.
I would like to hear others opinions here about this change, comments are open!