The email states that the CPU April 2005 patch set for 18.104.22.168 and 22.214.171.124 for the database server has been reported that causes the fixes for alert #65 to be incomplete.
The email goes on to say that if customers have already applied the patch for alert #65 first then no action is required, if not alert #65 needs to be applied. It can be applied either before or after CPU April 2005 (Don't you wish for a better naming convention?). If alert #65 is already applied then there will be a conflict shown.
So why is this? - I guess it is because CPU April 2005 is supposed to be a cumulative patch for all previous fixes so it looks like CPU April 2005 did not include some of the alert #65 fixes.
If you have applied CPU April 2005 and not alert #65 then you will be vulnerable so take notice of these details.
Critical Patch Update - April 2005 has not been updated since April 13 so does not yet reflect this information. Also Alert 65, Security Vulnerability in Oracle9i Application and Database Servers has not been updated yet either.