Oracle recently informed security researcher Joxean Koret that it had fixed a vulnerability he first reported to the company in 2008 in its April critical patch update. Oracle credited Koret with his role in finding the flaw, and he subsequently published details on how it works. Only problem was, Oracle hadn't actually issued a patch for the flaw, and merely fixed it in future versions of the software.
The end result: There is now a zero day database vulnerability floating around out there, and Oracle says it won't fix it until its next Oracle Database release. For a company with as dismal a security track record as Oracle, this is another in a long line of pretty significant failures.