Oracle Patching Demystified: CPU, RU, RUR and 2026's New CSPU
Oracle's patching vocabulary shifted from CPU/PSU to RU/RUR/MRP, and in 2026 added monthly CSPUs. A clear guide to what to apply, what's deprecated, and how version numbers encode patch levels.
Oracle's patch terminology has been renamed twice, leaving DBAs confused about what to actually install. The legacy CPU/PSU/SPU naming gave way in 2018 to RU (Release Update) and RUR (Release Update Revision), but RUR was deprecated in January 2023 and replaced by MRP (Monthly Recommended Patch). As of May 2026, Oracle layered a new monthly security release, CSPU (Critical Security Patch Update), on top of the quarterly cadence. The practical takeaway: apply the latest RU each quarter, optionally add the newest MRP in between, and treat 'CPU' as the name of the quarterly security disclosure date rather than a separate patch to install.
For engineers, the key detail is that the version number itself encodes this history: in 19.26.0.0.0, the second digit is the RU level and the third is the now-defunct RUR level, always zero. Any guide still debating 'RU vs RUR' predates 2023 and is stale. Applying an MRP also doesn't change version_full, a detail that trips up teams expecting the version string to move.
On the mechanics side, nothing has changed: OPatch handles the binary, datapatch handles the often-forgotten SQL layer, and zero-downtime rollout relies on RAC rolling patching or Data Guard standby-first sequencing. Oracle's standing advice remains to stay current on RUs — falling three years behind isn't stability, it's accumulated unpatched risk that makes the eventual jump harder. The 2026 CSPU addition shortens the response time for critical vulnerabilities from quarterly to monthly for teams that want it, but it complements rather than replaces the quarterly RU program.