If critical security issues are found and fixed between the schedules dates that one off patches and security alerts will be released through Metalink.
There is a FAQ available on metalink that describes the process in more details.
Stephen Kost of Integrigy Inc has said to me that he felt had thought this through to some degree and that a choice of Tuesdays for the release date makes sense and that a quarterly release schedule is similar to the add hoc few months between previous releases anyway. Stephen also said that he felt the choice to release one big patch for all products like with alert 68 is not good. A separation of releases per product would be clearer for all concerned and the separation of risk would be easier to do.
I agree with Stephen entirely that Tuesday is a good choice, well its better that Monday or Friday for instance. A quarterly schedule is also a good choice, I even suggested as much in a previous blog entry. It is better, much better than monthly on man power grounds alone. If customers had to patch monthly, most likely a good percentage would not do it.
The two key issues I feel that Oracle need to improve on are the issues of one big patch of all products with no separation - this could be improved and secondly the issue of lack of detailed information so that customers can make informed risk decisions. Related to this is the issue of lack of information on older releases such as version 7.x and 8.0.x. Oracles advice is always to upgrade but this is often very impractical for customers with a lot of older releases faced with a patch to add quickly. Customers using third party applications that need to keep older versions cannot simply upgrade or transfer to another customerís database.
This announcement is a very good step forward and I am glad that it looks like Mary Ann and her team have at least put some thought into it.